Trust you can verify, not just read.
You're about to hand us the keys to your whole life. Here's exactly how the architecture — not our good intentions — keeps them yours.
The one promise everything rests on.
Your vault is encrypted on your device with a key derived from a passphrase only you know. What reaches our servers is ciphertext. We cannot read it, reset it, or hand it over — because we never hold the key.
Argon2id
Memory-hard derivation (64 MiB on web) turns your passphrase into a key that's expensive to brute-force.
AES-256-GCM
Authenticated encryption of the entire vault payload, performed locally before anything syncs.
X25519 + Shamir
Release keys are split into 5 shares; any 3 reconstruct — sealed to each holder with X25519.
Our threat model — in plain words.
| We protect you from | How |
|---|---|
| A breach of our servers | Attackers get ciphertext only. No master key exists on our side to steal. |
| A rogue employee or subpoena | We can't decrypt your vault. There's nothing to silently hand over. |
| A single trusted person going rogue | Recovery needs 3 of 5 independent holders — no one can act alone. |
| A wrongful or accidental release | A 14-day hold with daily multi-channel alerts; one tap aborts and re-seals. |
| The company disappearing | Local-first storage + your 24-word phrase open the vault without us. |
What we don't defend against: a device fully compromised by malware while your vault is unlocked, or a passphrase you share with someone. Zero-knowledge protects the vault at rest — not a screen someone is looking over.
Where things stand — honestly.
Independent security audit — scheduled.
An external, third-party audit of the crypto and release engine is being commissioned ahead of general availability. We'll publish the report here in full — findings and fixes — when it completes. We won't claim "audited" until it is.
Breach disclosure within 72 hours.
If something goes wrong, you'll hear it from us — fast, in plain language, with a public post-mortem. See our status page.
Responsible disclosure.
Found a vulnerability? Our security.txt tells you how to reach us. We respond, we credit, we fix.
Sub-processors, listed.
Every third party that touches encrypted data is named on our sub-processors page. No silent additions.
If Lyfos vanished tomorrow.
It's the question every "digital legacy" service avoids. Ours: your vault is stored locally first, and your 24-word recovery phrase is a standard BIP39 phrase. You — or your nominee — can decrypt your records with that phrase and the released key shares, with or without our servers, our app, or our company. You are never locked in, and never locked out.
Read the full security architecture →Built to be doubted.
Don't take our word for it — that's the point. Read the model, watch the recovery test, and ask us anything.