HHostSSH
All posts
Visionlicenselock-inportability

Why your data should never be held hostage (the HostSSH license guarantee)

Most platforms make leaving expensive on purpose. HostSSH writes the opposite into its license: an open format, an always-available export, and a guarantee that works even if the company doesn't.

Sevak Girard· Founder, Girard Media·Jun 21, 2026·4 min read

Lock-in is rarely an accident. The friction you feel when you try to leave a platform — the proprietary snapshot format, the export that's missing half the system, the support queue that goes quiet the moment you mention "migration" — is usually a feature, working as designed. A customer who can't leave doesn't have to be kept happy.

HostSSH is built on the opposite bet: that the way to earn a long relationship is to make leaving trivial and prove it constantly. That's not just a value statement. It's written into the license guarantee.

What "held hostage" really means

Being held hostage isn't about a vendor refusing to give your data back. Modern platforms rarely do anything that crude. The hostage situation is subtler, and it shows up in three places.

The format you can't read

Your "backup" is a proprietary blob that only the vendor's tooling can open. You technically possess your data and can do nothing with it. Possession without readability is not ownership.

The export that isn't whole

You can download the database, but not the wiring around it — the service config, the volumes, the secrets, the reverse-proxy rules. You get the contents of the house and none of the plumbing, so reconstructing the system elsewhere is a weekend of archaeology.

The keys someone else holds

Even an open, complete export means little if the provider holds the encryption keys and can revoke access. Custody, not just possession, is what determines whether your data is truly yours.

The three promises in the guarantee

The HostSSH license turns "you own your data" from a slogan into specific, enforceable commitments.

1. The format is open and documented

Every server is captured into a single .hsi image whose format is published and stable. You don't need HostSSH to read it. The spec is open precisely so that, in the worst case, your images outlive your relationship with us. An open format is the difference between a backup and a bet on a company's longevity.

2. The export is always available and complete

You can capture and download a full .hsi — brain, every database, object storage, volumes, and secrets custody — at any time, without asking, without a support ticket, without a notice period. There's no "export mode" you have to request and no degraded free-tier version of your own data. The complete system is one click away on your worst day, not just your best one.

3. The keys are yours

Images are encrypted before they leave the host, and you choose the custody model:

  • agent-local — keys never leave your server.
  • zero-knowledge — encrypted such that HostSSH mathematically cannot read your images.
  • escrow — we hold an encrypted copy so we can help you recover, a trade-off you opt into explicitly.

In every model, the default posture is that we hold ciphertext, not plaintext. The guarantee isn't "we promise not to look" — it's "we built it so looking isn't an option we have."

A guarantee that survives the company

Here's the part most "we'll never lock you in" promises quietly skip: what happens if the vendor disappears? A guarantee that depends on the company still being around to honor it isn't much of a guarantee.

The HostSSH design is company-independent by construction. Because the format is open and documented, and because your images already live in your own bucket under your own keys, your ability to restore doesn't route through us at all. If HostSSH vanished tomorrow, your .hsi images would still be readable, still complete, and still restorable on any box you control. The exit doesn't depend on our permission, our servers, or our continued existence.

Why give up the leverage?

The honest question is: why would a platform deliberately surrender its strongest retention lever? Because lock-in retention is fake retention. It keeps customers who want to leave, which is a slow way to build a reputation as the thing people warn each other about.

We'd rather keep the customers who choose to stay because the product is good and the trust is real — and let the door stay wide open for everyone else. Your data, your bucket, your keys, your exit. Always, and in writing.