The plain English version.

Think of your vault as a locked box that lives on our servers. Your password is the only key that opens it. When you log in, the unlocking happens on your device, not on our servers. The contents of the box never leave your device unlocked, and we never have a copy of your key.

That means even we can't open the box. Not our engineers, not our support team, not anyone at IvorySafe. Your vault is genuinely yours alone. The information you put in it is unreadable to anyone except you and the emergency contacts you've designated. This is what "end-to-end encryption" means: the only points where your data exists unencrypted are at your end and at the other authorized end. Everywhere in between, including on our servers, it's a locked box.

What this means in practice.

  • Your vault contents are unreadable to us. When you fill in a bank account or upload a document, that information is encrypted on your device before it's ever sent to us. We receive and store a scrambled version. We have no way to unscramble it.
  • Your vault is unreadable to attackers. If someone broke into our servers tomorrow, they wouldn't get usable data. They'd get a pile of encrypted blobs that mean nothing without each individual user's password.
  • The encryption is industry-standard. We use AES-256, the same standard used by banks, the US government for classified information, and every reputable security product. It's not a custom or experimental encryption scheme.
  • It works the same on every device. Whether you log in from your laptop or your phone, the unlocking happens on that device. Your password is what makes it work, and your password never reaches our servers.

What we can see, and what we can't.

Encryption isn't a magic invisibility cloak. There are things we need to know about you in order to run the service. We're going to be specific about what those are so there's no confusion.

What we can see:

  • Your name and email address, so we can send you account notifications and so your emergency contacts know who designated them.
  • Your phone number, so we can send you multi-factor authentication codes when you log in, and so we can reach you if one of your emergency contacts reports you as incapacitated or deceased. During the waiting period, we contact you by both SMS and email so you have multiple ways to respond.
  • Account metadata: when you signed up, what plan you're on, when you last logged in, and similar billing and operational data.
  • The emergency contacts you designate, including their name, email, and phone number, which we use to reach them on your behalf.
  • The emails and text messages we send for and to you, such as the invitation an emergency contact receives when you add them, and the alerts we send you during a waiting period.
  • Which sections of your vault you've started or completed. We can see your progress as metadata, but never what you've entered inside them.

What we can't see:

  • Anything you put inside your vault. Bank accounts, insurance policies, family details, end-of-life wishes, professional contacts, uploaded documents. All encrypted, all unreadable to us.
  • Your account password, the key that decrypts your vault. It never leaves your device, so we never receive it in any form. This is also why we can't reset it or recover your vault if it's lost, which we cover below.
  • The contents of your vault even if law enforcement asks us for them. We can produce the account information listed above if served with a valid legal request, but we physically cannot produce the vault contents because we don't have the ability to decrypt them.

The information we can see is what we need to run the service: bill you, send you notifications, run security checks, and answer support questions. None of it is shared with your emergency contacts in a crisis. What gets shared with them is the vault contents, and only after the conditions you set are met.

What happens if our servers are compromised.

This is the question that matters most to people thinking about storing sensitive information online, and it deserves a direct answer.

If our servers were ever breached, an attacker would get the encrypted contents of vaults. Without the corresponding password for each vault, those contents are useless. With AES-256 and a strong password, breaking the encryption by brute force is computationally infeasible: even with the resources of a nation-state, attempting to try every possible password would take longer than the age of the universe.

This is the core promise of end-to-end encryption, and it's the reason we invested significantly in building it correctly: a breach of our servers wouldn't be a breach of your data. The encryption keys for your vault aren't stored on our servers. They're derived from your password every time you log in, on your device, and they exist only in memory for the duration of your session.

Our backups follow the same rule. We back up encrypted data, not decrypted data. A backup restore would restore your encrypted vault, which still requires your password to read. There's no "master copy" of unencrypted vaults anywhere in our systems.

The tradeoff: no recovery if you forget your password.

End-to-end encryption is a strong protection, but it comes with one significant tradeoff that we want to be very clear about. Because we don't have a copy of your password and can't read your vault, we also can't help you recover it if you forget your password. There's no "reset" that gets you back into your existing vault.

This is the same model used by other end-to-end encrypted services. The strength of the security depends on us being unable to access your data, which by definition means we also can't unlock it for you. We can help you create a new account, but the original vault and its contents would be inaccessible.

For the full details on what to do if this happens, and steps you can take now to make sure it doesn't, see I forgot my password.

What this means for your emergency contacts.

Your emergency contacts are protected by the same encryption model. When the conditions you've set are met and access transfers to them, they create their own credentials and gain access to your vault. From that point forward, their account works the same way yours did: end-to-end encrypted, no recovery if they forget their password.

This is worth knowing because your emergency contacts may not log in for months or years before they need to. The same care you take with your own password applies to theirs. It's a good idea to mention this to anyone you designate.

A few common questions.

Are uploaded documents also encrypted?

Yes. Anything you upload to your vault, including PDFs, images, and other files, is encrypted on your device before being sent to our servers. We store the encrypted version and can't read the original any more than we can read the rest of your vault.

Is my data still encrypted when it's being transmitted?

Yes, in two layers. Your data is encrypted before it leaves your device (the end-to-end encryption described above), and the connection between your device and our servers is also protected by HTTPS. Even if someone were able to intercept the traffic between your device and our servers, they'd see encrypted data inside an encrypted connection.

Could a government agency force IvorySafe to give them my data?

We comply with valid legal requests, but the structure of the system limits what we can produce. We can hand over the account information described above (name, email, phone, metadata). We cannot hand over the contents of your vault, because we don't have the ability to decrypt them. This isn't a policy choice that we could change under pressure. It's a technical reality of how the system is built.

How is this different from other services that store family information?

Some products in this category store data in a way the company can read. That's a legitimate design choice with its own benefits, including the ability to help users recover lost passwords. But it also means the company itself is a point of failure: if their systems are breached or their employees act badly, your data is exposed. End-to-end encryption removes that risk by removing the company's ability to read your data in the first place.

What if you go out of business?

If IvorySafe were to shut down, we'd give users substantial advance notice and time to export their data. The vault contents would still require your password to access, since the encryption doesn't change based on who owns the company. Your data is yours; the encryption ensures it stays that way regardless of what happens to us.

Is there an audit or third-party verification of this?

Our security is built to SOC 2 standards. A formal SOC 2 audit is on our roadmap. End-to-end encryption is the kind of claim that's easiest to verify by examining the system itself: because we genuinely don't have the ability to read your vault, we can't be forced to demonstrate that we can.

Other security questions?

If there's something about how we protect your data that this article didn't answer, we'd rather hear from you than have you wonder. Security questions get answered by a person, not a chatbot.

Email support

Or copy and paste: support@ivorysafe.com