Security Overview

Last Updated: 2 June 2026

1. Introduction

Trust is the foundation of The Life File. Because you rely on us to store your most sensitive end-of-life, financial, and digital legacy information, we employ a security model built around a single principle: only you can read your data. This document outlines the technical measures that protect your Vault.

2. Zero-Knowledge Architecture

Our platform is built on a zero-knowledge security model. This means:

Your data is encrypted locally on your device before it is ever sent to our servers.

The decryption key is derived from your password and is known only to you — it never leaves your device.

The Life File Ltd, our employees, and our developers cannot decrypt, read, or access the contents of your Vault. In the event of a data breach or a legal request, we can only provide encrypted, unreadable ciphertext.

Even when you designate an Executor, your Vault key is sealed cryptographically to that person's key — never to us. We facilitate access; we never hold the means to read your data ourselves.

3. Encryption Standards

Data at Rest: All Vault entries and uploaded documents are protected using AES-256 encryption, applied on your device before storage.

Data in Transit: All communication between your device and our infrastructure is secured using TLS (Transport Layer Security), protecting your data against interception as it travels across the internet.

4. Infrastructure and Hosting

The Life File is hosted on managed, industry-leading infrastructure:

Application Hosting: Vercel.

Database & File Storage: Supabase, with data hosted in the [Insert Region, e.g. London / EU] region.

These infrastructure partners maintain independently audited security certifications (such as SOC 2 and ISO 27001) and operate physically secured, access-controlled data centres. Note that these certifications belong to our hosting partners; because of our zero-knowledge design, the data they hold on our behalf is encrypted and unreadable regardless.

5. Account Security Controls

Password Requirements: We require strong passwords at registration to resist brute-force attacks. Your password also derives your encryption key, so its strength directly protects your data.

Multi-Factor Authentication (MFA): You can enable time-based one-time passwords (TOTP) using apps such as Google Authenticator or Authy, adding a second layer of protection to your login.

Ephemeral In-Memory Keys: Your decryption key exists only in your device's memory while your Vault is unlocked. It is never written to disk, and is cleared when you lock your Vault, refresh, or close the page — so an unattended device does not leave your Vault readable.

6. Managed Infrastructure & Updates

We build on managed platforms (Vercel and Supabase) that handle network-level monitoring, patching, and physical security to industry standards. This lets us inherit robust, continuously maintained infrastructure rather than operating vulnerable self-managed servers. Application dependencies are kept up to date to address newly discovered vulnerabilities.

7. Data Retention & Destruction

Security includes knowing when to destroy data. As outlined in our Terms and Conditions, we enforce a strict 180-day deletion policy. If an account's trial expires or its subscription lapses and it remains inactive for 180 days, all associated encrypted data is permanently purged. You may also delete your account and all its data instantly at any time from your settings.

Contact Security

If you have discovered a potential security vulnerability or have questions about our architecture, please contact us at [Insert Security Email].