How we built a vault we can't read.

The 1Password model, applied to estate planning

1Password popularized a security architecture where the user's secret material is split between something they remember (a passphrase) and something they have (a printed Secret Key). The two are combined locally to derive a master encryption key. That key never leaves the device, and the vendor never sees either input.

We apply the same architecture to estate-planning data — wills, beneficiary allocations, asset inventories, family records — that other vault products store in plaintext-readable form on their own servers.

How your master key is derived

The salt is per-vault and stored alongside the vault — it's not secret. The 128-bit Secret Key plus the 100,000 PBKDF2 iterations together make brute-forcing the passphrase impractical even if an attacker has the encrypted file.

All vault data is then encrypted with AES-256-GCM using the master key. Each field carries its own random IV, and GCM's authentication tag prevents tampering.

What we store on our servers

Nothing — unless you opt into our paid Storage tier (which uses Cloudflare R2, and even then your documents are encrypted client-side before upload).

• Your passphrase — nowhere. Used transiently during key derivation, then discarded.
• Your Secret Key — only in your printed Emergency Kit PDF.
• Your master key — derived in memory at unlock time, garbage-collected on lock.
• Your vault file — AES-GCM ciphertext, optionally synced to your Google Drive.

What this protects against

• A breach of our servers can't expose your data, because your data isn't on our servers. Only the encrypted file is, and only if you opt in.
• An employee of ours can't read your vault — even if they were paid, threatened, or compromised.
• A court order or subpoena can't compel us to hand over your data, because we genuinely don't have it.
• Social engineering can't trick us into unlocking your vault for someone pretending to be you — there's no unlocking ceremony for us to perform.

What it can't protect against

Losing both your passphrase and your Emergency Kit. If both are gone, the vault cannot be unlocked — by you, by us, or by anyone. There is no reset link, no support ticket, no recovery code we hold. This is the price of zero-custody and we're upfront about it.

Mitigations: register a passkey on your trusted devices (a third unlock path that wraps the master key locally), print two copies of the Emergency Kit and store them separately, and store your passphrase in a password manager that's not in the same place as the kit.

How to verify our claims

Don't take our word for it. Open the network panel in any browser inspector and watch what the vault sends — encrypted blobs, never plaintext. Inspect the Emergency Kit PDF and you'll see your own Secret Key printed there, and nowhere else. Lock the vault and search the database files on your device for any of your asset names — they won't be there.