SafeHerit

Log in
Sign Up

SafeHerit

Security you can verify

Your information is encrypted in your device before anything is sent over the internet. So nobody else can read it, not even us.
And you can verify at any time that this is really happening.

Client-side encryption
Zero-Knowledge architecture
You control the keys

Zero-Access by Design

Only you (and later your beneficiaries) can read your information.

OVERVIEW

SafeHerit is built so that only you (and, when the time comes, the beneficiaries you choose) can read your information. We encrypt everything on your device before it leaves your browser.

We don’t hold your private key and can’t decrypt the information stored in your vault.

Your private key stays with you, and SafeHerit cannot reset or recover it. We recommend you store it securely, and keep a copy in a secure location.

If you later decide to change your key, your browser re-encrypts your data with the new one.

Important: If you permanently lose access to your private key (and any back up you set up), your encrypted data will be irrecoverable and you will have to start a new vault from scratch with a new key.

TECHNICAL DETAILS

  • All sensitive content is encrypted client-side; only ciphertext and minimal metadata are stored server-side.
  • Public/private key pairs are generated in the browser; the private key never leaves the device.
  • No server-side decryption path; services operate on encrypted blobs and non-sensitive metadata only.
  • The private key is protected locally with a password-derived key and is never transmitted to servers.
  • Key rotation triggers client-side re-encryption; older encrypted material scheduled for secure deletion.
  • No path to data decryption or key recovery server-side in case the Private key is lost.

How Encryption Works

Your browser locks the data first, then sends it.

OVERVIEW

  1. When you create your account, your browser creates a public key (to encrypt) and a private key (to decrypt).
  2. When you add information to your vault, your browser encrypts it in a way that can only be decrypted using your private key.
  3. Only this encrypted data is sent and stored in our servers. We never see your unencrypted data nor your private key.

That being said, we believe that security claims should be verifiable:

If you are a technical user, you can verify at any time that your data is encrypted in your browser before anything is sent over the internet. 

TECHNICAL DETAILS

  • Hybrid scheme: AES-256-GCM for content; AES key is wrapped with RSA-4096.
  • All cryptographic operations occur in the browser using well-established primitives.
  • Transport security via HTTPS/TLS for all client–server communications.
  • Use browser dev tools to inspect network requests: payloads content is ciphertext only, not plaintext.
  • Cryptographic routines run before network calls; only encrypted content and non-sensitive metadata are transmitted.

Beneficiary Security (Per-Beneficiary Keys)

Each beneficiary has their own “locked box.”

OVERVIEW

Think of each beneficiary having their own locked box. You decide what goes into each box.

Only the beneficiary with the matching key can open their box. Other beneficiaries (and SafeHerit) cannot decrypt items not intended for them.

TECHNICAL DETAILS

  • Each beneficiary has an associated key pair.
  • Each item’s key is encrypted for the owner’s public key and for each assigned beneficiary’s public key.
  • Decryption requires the beneficiary’s private key; other beneficiaries cannot decrypt items not meant for them.

Pulse Check & Escalation

Confirm status first; access remains encrypted.

OVERVIEW

SafeHerit periodically checks in on the schedule you set. If you do not respond, we contact your validators (if you registered any) to confirm your status.

This process never reveals your encrypted content. It only authorizes the next step which is to notify your beneficiaries.

TECHNICAL DETAILS

  • Liveness workflow with notifications and validator confirmations.
  • Escalation changes authorization state only; no server-side decryption path at any step.
  • Validators never receive access to user content.

Threat Model & Shared Responsibility

What we defend against, and where you play a part.

OVERVIEW

We protect against server breaches, insider access, and demands for data because we store only encrypted content and do not hold your private key.

Your role is to secure your devices and private keys, use strong unique passwords, and share keys safely with your beneficiaries.

TECHNICAL DETAILS

  • Strong against: server-side compromise & database exfiltration (ciphertext only), malicious operator (no keys), compelled disclosure (ciphertext only).
  • User-side risks: endpoint compromise (malware on an unlocked session), credential reuse, social engineering.
  • Beneficiary key exchange must use secure channels; SafeHerit does not provide key escrow.

What we defend against

Your responsibilities

  • Keep your device and private key secured
  • Share beneficiary keys via secure channels
  • Use strong, unique passwords and avoid reuse

What We Store (and What We Don't)

We store encrypted information about assets, not the assets themselves.

OVERVIEW

SafeHerit store encrypted information about your assets (notes, references, locations, and any files you attach), not the assets themselves. Information about your assets is encrypted before upload, and we do not get to see it at any point.

While SafeHerit helps you provide instructions for your beneficiaries, it is not a legal will and does not provide legal advice. 

We keep encrypted backups to protect against outages.

Backups are useless to anyone without the corresponding private keys.

TECHNICAL DETAILS

  • Minimal account metadata is kept separate from user content.
  • User content (text/files) is stored exclusively as ciphertext (No decryption path server-side).
  • Service scope: informational transfer to designated beneficiaries; no custody of user assets.
  • Periodic, versioned backups of encrypted blobs in separate storage locations.
  • Disaster recovery restores ciphertext only; decryption remains with users/beneficiaries.

Ready to Safeguard Your Future?

Get started with SafeHerit in minutes and experience a painless way to secure your assets, assign beneficiaries, and ensure your legacy is always in the right hands.

Start Your Free Trial
Learn More