Dead Man’s Switch
After 180 days of silence and a 5-week warning cascade, your trusted contacts unlock the vault. They’ve held their keys the whole time, mailed as engraved metal NFC cards or split across email + card. The platform is the gate. The mechanism is engineered, not wishful.
ACTIVE ↓ 180 days of inactivity WARNED_1 first warning email ↓ 14 days WARNED_2 second warning, more urgent ↓ 14 days WARNED_FINAL final warning ↓ 7 days TRIGGERED contacts activated, keys usable ↓ 60 days DELETED Living Vault destroyed (Eternal Vault continues)
This is the most important paragraph on this page. Your trusted contacts hold their decryption keys from the day you designate them, not at your death. Mailed on engraved metal NFC cards (Legacy / Eternal tier) or delivered by email (Guardian tier). The keys are always cryptographically valid. They could always decrypt your data.
What changes is the platform’s willingness to serve the encrypted data. Until the DMS fires, the server returns 403 for access requests. After, it serves the ciphertext. The keys the contact has been holding for years can now unwrap it.
This is a single boolean, is_active, on the server, toggled by the DMS. Simple, auditable, and crucially: there is no "delivery at death" moment where our email infrastructure or escrow system could fail you at the worst time. The activation email is a courtesy, not a requirement. Your inheritor already has the key.
The hardest problem in digital legacy is reaching the right people at the worst time. We deliver the keys years early, to decouple key delivery from the trigger event.
If Henedo ceases to exist and someone recovers backups from storage, the keys still work. The gating is server-side policy, not cryptographic, it’s a soft floor, not a hard ceiling.
5 weeks of warnings. Any login resets. 5 recovery methods (passphrase, recovery key, passkey, Shamir, escrow) ensure you can always log in to cancel.
Most digital legacy plans are wishful: "I told my spouse where the password manager is," "my will mentions the safety-deposit box," "my lawyer has a copy of the recovery phrase." Each of these requires a human to do the right thing at the worst moment. Most fail.
Henedo's mechanism is engineered. Each layer below is independently sufficient; together they close every realistic failure mode:
Engraved metal NFC cards (Legacy / Eternal tier) or split-key email (Guardian) reach your trusted contacts the week you designate them, while you are alive. The decryption key sits in their hands for years before it is ever needed.
Until the dead-man's switch fires, the platform refuses to serve ciphertext. The pre-delivered key is useless without the encrypted bytes. After the switch fires, server flips a single boolean. The key in their hands now decrypts the bundle.
A defined access period after activation gives heirs time to download what is theirs. After 60 days, the Living Vault is permanently deleted. Eternal Vaults remain for their full preservation duration on actively-preserved geo-redundant storage.
Primary storage is geo-redundant and refreshed every ~10 years onto current technology — the same active-preservation discipline national archives use (ISO 14721 / OAIS). The optional M-Disc physical backup is an extra redundancy layer on top, never the only copy. With it, your heirs can decrypt the bundle on any computer running standard AES-256-GCM and Argon2id — no Henedo server, website, or email required.
We are the only platform we are aware of that combines all four. Wills tell. Henedo delivers. See the portability page for the decrypt-without-Henedo recipe, and the journal feature for the voice notes and video messages this mechanism delivers.
Included in every paid plan. Your vault, your terms, your switch.