This is what I'm thinking. They could reasonably be unable to divulge your secret to a fourth party. The decryption could even be done client-side. They just generate a pair of (encrypted-secret, key). They store encrypted-secret and send you a pointer to it and the key, then destroy the key on their side.