End-to-end encryption

Your vault data is encrypted in your browser before it ever reaches our servers. We use AES-256-GCM for data encryption with a random master key, protected by a key derived from your recovery phrase using PBKDF2-SHA256 with a high iteration count following OWASP guidelines. We cannot read your data. Only you can.

If you lose your recovery phrase, your encrypted data is permanently inaccessible. There is no backdoor, no reset, and no way for us to recover it on your behalf. This is by design.

European data hosting

All data is stored on servers in the European Union, subject to GDPR and strong privacy protections. Data is encrypted at rest, encrypted in transit (TLS 1.3), and backed up daily.

Authentication

We use passwordless sign-in via magic links and Google OAuth. There are no passwords to steal or phish. Your vault encryption key is derived from a six-word recovery phrase that never leaves your device.

Zero-knowledge design

Our team cannot see, access, or decrypt your vault contents. Even in the unlikely event of a server breach, your data remains encrypted and unreadable without your key.

Proof-of-life protocol

Our controlled release system uses periodic check-ins to confirm you are still active. Nothing is ever released to trustees without the full protocol completing, including configurable waiting periods and multiple notification attempts.

Responsible disclosure

If you discover a security vulnerability, please report it responsibly to security@lifebeacon.io. We take every report seriously and will respond promptly.