Skip to content
STEMMA
Log in Open your vault
Security

We built a vault we cannot open.

Not "won't." Cannot. Your key is derived from a passphrase that never leaves your device, so what we store is unreadable to us, to an intruder, and to anyone who compels us.

one turn · no games · your key does this for real
{{ panelTitle }}
{{ panelText }}
{{ panelCaption }}
The encryption layer

What leaves your device is deliberately useless to everyone else.

As this section enters view, the cipher study resolves from noise to the one sentence that matters. The rest of this page stays readable and still.

The architecture, in plain sentences.

AES-256-GCM

Every entry is encrypted on your device before sync. The key is derived from your passphrase with a memory-hard function; it is never transmitted, logged, or escrowed.

Split key shares

Release doesn't hand us a master key — there isn't one. Beneficiary access combines a share they hold with a share that unlocks only after your conditions are met.

2FA in the vault

Time-based codes are generated inside the encrypted client, so your second factors survive you too — no locked authenticator app standing between your family and your email.

Recovery, considered

A printed recovery kit — passphrase hint, recovery code, instructions — lives wherever you keep serious paper. Lose everything and the kit still gets you back in. We can't reset what we can't read.

Open export

One click produces a decrypted archive of your entire vault, on your device, in open formats. Leaving must always be possible; that keeps us honest.

Compelled disclosure

If we're ordered to hand over your data, we comply — with ciphertext. The design makes the polite version and the adversarial version of us equally harmless.

Trust the math, not the company.

Start your vault Next: Inheritance →