Well, you are assuming way to much here. I fully understand how secure a private key is when someone uses PGP correctly. In fact I have made it my personal business to understand how PGP works at a very deep level and have been using it since Zimmerman "accidentally" caused its release to the internet. However you cannot get around the fact that you are in possession of an individuals private key. On a straight security assessment that is a completely unacceptable practice and always will be. You may not be able to break it at your level, but if you are forced to turn your encrypted database over to the Government that is an entirely different story (IE Lavabit). I stand behind my position that any service that requires an individuals PGP secret key should be strictly avoided. You say that no organization has been able to decrypt your users private keys? How does the user know that? They don't. The only way to be sure is for you to never have a given individuals private key in the first place. I am incredibly strongly opinionated on this topic. If I come off too pushy I apologize in advance. I will defend the sheer stupidity of any individual trusting his/her private key to ANY company until the end of time. No one gets my private key, period, even for the briefest moment. An air-gaped machine running PGP, albeit possibly extreme, with no network connectivity is one of the few ways to be certain your private key is safe. We are in a day and age that companies cannot be trusted. Counter-mails word is honestly not good enough. This is very very hard for you to defend on a straight security analysis. Any question refer to Bruce Schneier's blog. The only area I could give ground on is if it were possible for Counter-mail to do what it does with a person's public key only. Truth, I haven't studied your service in depth enough to make that determination.