How We Protect Your Data

Your information is deeply personal. We built this vault to be as private as a handwritten note locked in a safe — except it's protected by military-grade encryption.

End-to-End Encryption

When you create a vault, we generate a unique passphrase with approximately 73 bits of entropy — strong enough to resist brute-force attacks. This passphrase is used to derive an encryption key using Argon2id, a memory-hard key derivation function that's resistant to GPU and ASIC attacks. Your data is then encrypted using XChaCha20-Poly1305, a modern authenticated encryption algorithm used in secure messaging apps and cryptographic protocols worldwide.

The critical point: encryption happens entirely in your browser. Your passphrase and unencrypted data never leave your device. We only receive and store the encrypted result — a scrambled block of data that is meaningless without your passphrase.

Zero Tracking. Zero Analytics.

We don't use Google Analytics. We don't use Facebook Pixel. We don't use any third-party tracking scripts. We don't fingerprint your browser. We don't store your IP address.

There are no cookies tracking your behavior. There are no invisible pixels watching what you do. There is no advertising network building a profile of you.

We don't even know how many people use this service, because we don't count. Your privacy is more important than our metrics.

No Account Required

You don't need to give us your email address. You don't need to create a username. You don't need to verify your identity. Your passphrase is your only key, and your only connection to your vault.

This means there's no "forgot password" button, no password reset email, and no way for us to help you if you lose your passphrase. But it also means there's no way for anyone — including us — to access your data without it.

Technical Details

• Key Derivation: Argon2id (memory-hard, GPU/ASIC resistant)
• Encryption: XChaCha20-Poly1305 (authenticated encryption)
• Key Wrapping: Two-tier hierarchy (KEK wraps DEK)
• Salt: 16 random bytes, unique per vault
• Nonce: 24 random bytes, regenerated on each save
• Passphrase Entropy: ~73 bits (6 words + 4 digits)
• Cryptography Library: libsodium (audited, widely trusted)

We use libsodium, the most widely-used and thoroughly-audited cryptographic library available. All sensitive key material is securely zeroed from memory after use to prevent extraction.

Rate Limiting & Abuse Prevention

To protect against brute-force attacks and abuse, we implement rate limiting on all API endpoints. This prevents attackers from making unlimited guesses at vault IDs or overwhelming our servers with requests.

Security Headers

We enforce strict security headers including Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), and protection against clickjacking and MIME-type attacks. These headers provide defense-in-depth against common web vulnerabilities.

What We Store

Our database contains exactly three things for each vault:

• A random vault ID (not connected to you in any way)
• The encrypted data (unreadable without your passphrase)
• The salt and IV needed for decryption (useless without the passphrase)

That's it. No names. No emails. No usage logs. No access records.

A Guide, Not a Replacement

This vault is designed to be a roadmap for your loved ones — a way to help them find what they need during a difficult time. It should point them to where your important documents are stored, not replace those documents.

Original documents like wills, deeds, titles, powers of attorney, and insurance policies should always be kept in secure physical locations: a fireproof safe, a safe deposit box, or with your attorney. Use this vault to tell your family where to find them.