Security Overview
Built to be unreadableto everyone. Including us.
Henedo is a zero-knowledge platform. Your documents are encrypted on your device before they ever touch our servers. We hold ciphertext only, never plaintext. Even in the event of a full infrastructure breach, an attacker recovers encrypted blobs they cannot read without keys only you control.
Core principles
Three layers of protection,at every level of the stack.
Security without compromise, at every level of the stack: from the cryptographic primitive to a physical archival medium rated for up to 1,000 years.
Zero-Knowledge
Your password derives a KEK via Argon2id. A separate Master Key encrypts per-file keys. We store ciphertext only. Plaintext never leaves your browser.
Contact One-Time Keys
Each trusted contact gets a unique 256-bit key generated on your device. For NFC tiers, the key is split between a physical card and email. Neither alone unlocks anything.
Dead Man's Switch
Inactivity-based triggering with escalating warnings over weeks. Only after the final warning period expires are contact bundles activated. Any login resets the timer.
Institutional Trust
A portion of every subscription funds a perpetual preservation endowment managed by an independent trustee. Formal agreements with accredited universities and national archives guarantee custodial access long after any commercial operation ends. Your legacy is structurally protected even if Henedo ceases to exist.
Encryption Architecture
Zero-knowledge by design,not by policy.
Zero-knowledge means the server is architecturally incapable of reading your data: not a policy choice, but a mathematical constraint.
Two-layer key derivation
Your password is run through Argon2id (64 MB memory, GPU-resistant) with a unique per-user salt to derive a KEK (Key Encryption Key). A separate 256-bit Master Key is randomly generated at registration and encrypted with the KEK. Neither key ever leaves your device.
Per-file encryption
Each file gets its own random 256-bit File Encryption Key (FEK). The file is encrypted with AES-256-GCM and a unique 12-byte IV. The GCM authentication tag ensures ciphertext integrity: any tampering is detected on decryption.
Envelope key wrapping
Each per-file FEK is encrypted with your Master Key using AES-256-GCM. The encrypted FEK (EFEK) is stored server-side alongside the ciphertext. Only your device can decrypt the Master Key and therefore unwrap any FEK.
Transport security
All data in transit is protected by TLS 1.3 with forward secrecy. Large file uploads bypass edge functions entirely via signed URLs so encrypted bytes go directly to storage, minimising the attack surface.
// 1. Derive KEK from password (device-side only)
const kek = await argon2id({
password: userPassword,
salt: kdfSalt, // stored server-side (not secret)
memory: 65536, // 64 MiB, brute-force expensive
iterations: 3,
parallelism: 4,
hashLength: 32, // 256-bit KEK
})
// 2. Decrypt Master Key (MK was encrypted with KEK at registration)
const mk = await crypto.subtle.decrypt(
{ name: 'AES-GCM', iv: mkIv },
kek, encryptedMasterKey // EMK fetched from server
)
// 3. Per-file encryption
const fek = crypto.getRandomValues(new Uint8Array(32))
const iv = crypto.getRandomValues(new Uint8Array(12))
const cipher = await crypto.subtle.encrypt(
{ name: 'AES-GCM', iv }, fek, plaintext
)
// 4. Wrap FEK with Master Key (AES-256-GCM)
const fekIv = crypto.getRandomValues(new Uint8Array(12))
const efek = await crypto.subtle.encrypt(
{ name: 'AES-GCM', iv: fekIv }, mk, fek
)
// Only { cipher, iv, efek, fekIv } are uploaded
// Server never sees: kek, mk, fek, plaintextImportant consequence
If you forget your password, your data cannot be recovered: not by you, not by us, not by any court order. The KEK derived from your password is the only way to unlock your Master Key. This is a feature, not a bug.
Encryption applies to memory too
Voice notes, video messages, dated journal entries, and the 1,000-prompt Life Story answers are all encrypted client-side under the same Master Key as your documents. The server cannot transcribe a recording, generate captions, or thumbnail a video. There is no analytics layer, no AI summarisation, no admin override. Journal · Life Story
Data at Rest & In Transit
What we store,and what we never see.
Edge function architecture
All business logic is routed through edge functions. There are no direct client-to-database connections, ever.
- All storage encrypted at rest (AES-256)
- No direct client-to-database connections
- All logic routed through edge functions
- Adapter pattern isolates infrastructure
- Migration-ready: swap adapters, zero logic rewrites
- Signed upload URLs bypass edge functions for large files
- Secrets stored in environment variables, never in code
Depth, Not Just Presence
Zero-knowledge is the floor.this is how it goes deeper.
Proton Pass, Bitwarden, 1Password, and Lastkey all describe themselves as zero-knowledge, that is table stakes for a privacy-first vault. The architectural difference is what each product does inside the trust boundary. Henedo combines six layers of in-boundary defence that no competitor ships together.
Why depth matters
Zero-knowledge tells you the server cannot read your plaintext. It does not tell you what happens if the JS in your browser is poisoned, if your session token is stolen, or if a backup is exfiltrated. Each layer above closes one of those attack vectors that the others leave open.
We do not claim to be the only ZK product. We claim to be the only one combining all six layers in a single, openly-documented system.
Bundled UX, modular internals
Each of the six layers is a separable subsystem. The architecture spec on the architecture page walks through how every feature is fault-isolated: a bug in the will builder cannot read your vault keys; the canary detector cannot decrypt anything.
Bundling features increases UX power. It does not have to increase blast radius.
Active Preservation
Geo-redundant primary storage,not passive cold storage.
Your primary storage layer is geo-redundant: encrypted blobs are replicated across multiple regions on a current-generation cloud object store. Geo-redundancy alone is not enough, though — drives wear out, formats drift, and entire storage technologies become obsolete in 10–15 years. So Henedo runs an active-preservation cycle: every ~10 years the underlying drives, formats, and infrastructure are migrated to current technology, the way the Library of Congress, national archives, and other archival institutions do it.
Why active preservation matters
Passive cold storage assumes today's hardware will still be readable a century from now. It will not. The discipline that keeps long-form archives alive is continuous custody: fixity-checking the data, refreshing the media, migrating formats, and re-replicating onto whatever the current storage-industry standard is. Henedo is built around that cycle, not around any single drive or vendor.
Our active-preservation process
- Geo-redundant replication of every encrypted blob across multiple regions
- Continuous SHA-3 fixity checks — silent corruption is detected and re-replicated automatically
- Hardware/drive refresh on a ~10-year cycle, current-generation storage tech each time
- Format and codec audits aligned to ISO 14721 (OAIS) and PREMIS preservation metadata standards
- Open, decryptable-without-Henedo formats — the spec travels with the data
- M-DISC burned annually as an extra redundancy layer (see below) — never the only copy
Primary storage
Encrypted blobs replicated across multiple regions
Geo-redundant cloud object store
Hardware refresh
Drives migrated to current-generation storage tech each cycle
~10-year cycle
Fixity checks
Silent corruption detected and re-replicated automatically
Continuous SHA-3
Standards reference
The reference models for serious long-term archival
ISO 14721 (OAIS) + PREMIS
M-DISC layer
Annual burn for offline durability — last-resort copy
Extra redundancy, not primary
M-DISC rating
Tested per ISO/IEC 10995:2011/ECMA-379 (US DoD projection)
Up to 1,000 years
M-DISC capacity / read
Verbatim M-DISC BDXL — no proprietary reader
100 GB / any BD-ROM
M-DISC, the redundancy layer
M-DISC sits on top of the geo-redundant primary store as an extra safety layer. Unlike optical discs that use a dye layer (which fades), M-DISC uses a rock-like inorganic compound layer — a high-power laser physically ablates pits into it, with no dye, no magnetic coating, and no organic material to degrade. It is tested per ISO/IEC 10995:2011/ECMA-379 and rated for up to 1,000 years (U.S. Department of Defense projection). Henedo burns an annual encrypted snapshot to Verbatim M-DISC BDXL, verifies it with SHA-3, and stores three copies in climate-controlled vaults across three geographic locations. It is a belt-and-suspenders archival practice — the same discipline national archives use — never the only copy of your data.
Infrastructure Architecture
Designed to outlastany single provider.
Every request flows through edge functions that call abstract adapters, never the database directly. This means the entire infrastructure can be migrated without rewriting a single line of business logic or changing the client.
Database
Abstract adapter, Postgres
Current: Supabase Postgres. Future: self-hosted or AWS RDS
All queries go through a DatabaseAdapter interface. Swap implementation, not logic.
Storage
Abstract adapter, object storage
Current: Supabase Storage. Future: MinIO or AWS S3
Encrypted blobs uploaded via signed URLs. StorageAdapter abstracts the provider.
Auth & Email
Abstract adapters, auth + email
Current: Supabase Auth + Resend. Future: Lucia / custom JWT + SES
Auth verifies requests, email dispatches COTKs. Both are adapter-isolated.
Zero vendor lock-in
No direct client-to-database connections exist anywhere in the codebase. Every query goes through an abstract adapter. Swapping Supabase for self-hosted Postgres, S3, and custom JWT means swapping adapter implementations, not rewriting logic. Total estimated migration effort: 1–2 sprints.
Access Architecture
Access after death,without breaking encryption.
The hardest problem in digital legacy is granting access after death without creating a backdoor during life. We solve this with a Contact One-Time Key (COTK) and a Dead Man's Switch: the server is a blind gatekeeper that controls when, never what.
Contact One-Time Key (COTK)
When you designate a trusted contact, a 256-bit random key is generated entirely on your device. This COTK encrypts a bundle containing the contact's assigned file keys. The server stores the encrypted bundle but never the COTK itself.
Split-key delivery (NFC tiers)
For Legacy and Eternal plans, the key is split: 24 characters engraved on a metal card, 20-character completion code emailed separately. The final COTK is derived via Argon2id (256 MB memory) from the combined input, so each brute-force guess costs around 2 seconds.
Dead Man's Switch
You set an inactivity threshold (e.g., 180 days). If you stop checking in, escalating warnings are sent over several weeks. Only after the final warning expires are contact bundles activated. Any login resets the timer.
Server-gated access
The encrypted bundle is decryptable from day one. What changes at DMS trigger is the server's willingness to serve it. Contacts visit their access URL, enter their key (or card + email code), and decrypt entirely in-browser. We never see the key.
Dead Man's Switch
You set an inactivity threshold. If you go silent, warnings escalate: first warning, second warning, final 7-day notice. Only after the final window expires are trusted contacts activated. Any login or check-in resets back to active.
Trusted contacts
Designate trusted people, each with their own COTK and encrypted bundle. Contacts do not need a Henedo account. You control which files each contact can access, and you can revoke or reassign at any time.
What this means in practice
No court order, warrant, or subpoena can compel Henedo to grant access to a vault. We mathematically cannot: the plaintext key does not exist on our infrastructure.
Long-Term Preservation
What happensif Henedo disappears.
Every subscription-based company is at risk of shutdown, acquisition, or pivot. We have taken structural steps to ensure your legacy survives regardless of our commercial fate.
Preservation Endowment
5% of all subscription revenue is transferred monthly into a ring-fenced preservation trust managed by an independent trustee. Contractually prohibited from operating expenses.
Third-Party Custodian
We maintain a contractual relationship with an ISO 14721-compliant archival custodian. In a wind-down event, encrypted vaults and M-DISC masters are transferred to the custodian indefinitely.
Open Data Format
Your encrypted vault can be exported at any time as a self-contained archive: standard AES-256-GCM ciphertext + open-source decryption tool + your wrapped keys. You are never locked in.
5%
Of every subscription to endowment
ISO 14721
OAIS-compliant custodian standard
100 years
Minimum custodial obligation
Academic & Research Partnerships
Independent oversight, from institutionsthat outlast companies.
Commercial incentives can conflict with security. We counter this by embedding independent academic oversight into our architecture: institutions whose reputations depend on rigour, not revenue.
Cryptography Review
University Cryptography Departments
Annual review of our encryption primitives, key derivation parameters, and protocol design. Any deviation from recommended standards triggers mandatory remediation within 90 days. Reports published on our Transparency page.
Digital Archival Science
Library & Archival Science Programs
Partnership with digital humanities departments to ensure our archival practices align with ISO 14721 (OAIS) and PREMIS preservation metadata standards. Annual archival health audit.
Estate Law Research
Law School Estate Planning Clinics
Collaboration with estate planning law clinics on template accuracy, jurisdiction-specific legal validity worldwide, and the evolving legal landscape around digital estate and cryptocurrency inheritance.
Security Penetration Testing
Independent Security Research Teams
Annual red team engagement by a third-party security firm. Scope includes: API endpoints, key management, client-side crypto, executor flows, and infrastructure. Full report published with severity ratings.
Compliance & Certifications
The standardswe hold ourselves to.
SOC 2 Type II
In Progress, Q4 2026- Security, availability, confidentiality trust service criteria
- Continuous monitoring via Vanta
- Annual third-party audit by accredited CPA firm
- Report available to enterprise customers under NDA
GDPR (EU)
Compliant- EU data stored exclusively on EU infrastructure
- Data Processing Agreement available on request
- Right to erasure: full vault deletion within 24 hours
- Data portability: full export at any time
- DPO appointed for EU operations
CCPA (California)
Compliant- Do Not Sell My Personal Information honoured
- Full data inventory available on request
- Opt-out of analytics and marketing data processing
- Data deletion processed within 45 days
Penetration Testing
Annual, last: Q1 2026- Full-scope black-box and white-box tests
- OWASP Top 10 coverage + cryptography review
- All critical/high findings remediated within 30 days
- Summary report published on Transparency page
Transparency
Whatwe will always tell you.
Trust is not a marketing position. It is a set of commitments with teeth. These are the transparency obligations we hold ourselves to, regardless of commercial or legal pressure.
Zero key-disclosure policy
We will publicly disclose any government or legal request to access user data. Because we hold only ciphertext, we can comply with the letter of any data access order while providing nothing useful to an adversary.
Breach notification within 72 hours
In the event of a confirmed breach, we will notify all potentially affected users within 72 hours and publish a detailed post-mortem within 30 days. There is no 'assess the situation first' delay.
Annual transparency report
Published each January: total number of government data requests received, number we complied with, number we contested, all security incidents and their outcomes, and a summary of all third-party audit findings.
No behavioural analytics on vault content
We do not analyse, index, or run machine-learning models on your encrypted vault content. The only telemetry we collect is product usage analytics (page views, feature interaction) that never include document content or metadata.
Warrant canary
As of April 2, 2026: Henedo has not received any government request to compromise encryption, insert backdoors, weaken key derivation parameters, or provide decryption keys. Henedo has not received any National Security Letter or FISA court order. Henedo has not been subject to any gag order preventing disclosure of government data requests. This statement is updated quarterly. If it disappears or is not updated, draw your own conclusions.
Don't Trust. Verify.
Prove it yourself.Right now.
We don't ask you to take our word for it. Every claim on this page is independently verifiable using tools already in your browser. Here are four ways to confirm our zero-knowledge architecture is real.
1. Watch the network tab
Open DevTools → Network tab. Upload a file. Every outbound request carries application/octet-stream ciphertext bytes, never your file's real MIME type, never plaintext. The server receives encrypted blobs it cannot read.
// What leaves your browser: PUT /storage/v1/object/vault/... Content-Type: application/octet-stream Body: [AES-256-GCM ciphertext bytes] // What NEVER leaves your browser: // ✗ plaintext file content // ✗ real file MIME type // ✗ KEK, MK, or FEK key material
2. Read the source code
Our entire cryptographic layer is open-source. Every function that touches your keys (derivation, wrapping, encryption, zeroing) is published and auditable. No obfuscation, no minified secrets.
Grep the entire repo for RSA, ECDH, or ECDSA. Zero results. No asymmetric crypto in the data path. That is by design.
3. Inspect memory at runtime
While logged in, open DevTools → Console. The Master Key lives only in a Web Worker scope, isolated from the main thread. The encrypted MK stored server-side is exactly 48 bytes (32-byte key + 16-byte GCM auth tag), confirming it is ciphertext, not plaintext.
// In DevTools Console, verify what's in sessionStorage:
const emk = sessionStorage.getItem('henedo_emk')
console.log('EMK length (base64):', emk?.length)
// ~64 chars base64 = 48 bytes = 32 (MK) + 16 (GCM tag) ✓
// The MK itself lives in the Web Worker scope.
// Main thread cannot access Worker variables.
// Try it: there is no global 'masterKey' variable.
typeof masterKey // → "undefined" ✓4. The ultimate proof: password loss = data loss
This is the single strongest proof that our zero-knowledge claims are real. No company that secretly holds your keys would ever ship this behavior:
- If you lose your password and recovery key, your data is permanently gone
- No “contact support” backdoor exists. We cannot recover your Master Key
- No court order, subpoena, or government request can compel us to decrypt your data
- We literally do not have the mathematical ability to help because the KEK exists only in your browser
If we secretly held your keys, we could offer password recovery. We can't. That's the proof.
Standing challenge
Prove us wrong. We'll pay you.
We publish encrypted vaults with known plaintext inside, alongside every server-stored value: EMK, kdf_salt, mk_iv, EFEK, ciphertext, and IVs. Recover the plaintext without the password.
If the server could decrypt your data, someone would claim the bounty. No one has. No one can.
Post-Quantum Security
Quantum-safe by design.Not quantum-retrofitted.
Most encrypted products depend on RSA or elliptic-curve key exchange, algorithms that break completely under Shor's algorithm. Henedo's data protection uses no asymmetric cryptography at all. There is nothing to retrofit because there is nothing to break.
What competitors must retrofit
Most E2E encrypted products use asymmetric key exchange (X25519, RSA, ECDH) for sharing keys between devices or users. These algorithms break completely under Shor's algorithm. A quantum computer could recover private keys from public keys in polynomial time.
Signal, ProtonMail, and iMessage are actively retrofitting post-quantum algorithms (ML-KEM, PQXDH) into their key exchange layers. This is a complex, multi-year migration with backwards-compatibility challenges.
Why Henedo doesn't need to
Henedo's architecture never uses asymmetric key exchange. Your password is the root of trust, derived through Argon2id (symmetric, hash-based) into a KEK that wraps your Master Key. No public keys, no key exchange, no Diffie-Hellman.
Shor's algorithm has nothing to attack. The only asymmetric crypto in the entire system is Ed25519 + ML-DSA-65 for Eternal Vault integrity signatures, and ML-DSA-65 is already a NIST-standardised post-quantum algorithm (FIPS 204).
The mathematical bottom line
NIST Post-Quantum Security Level 1 requirement: 128-bit security Henedo data encryption (AES-256-GCM): 128-bit PQ security ✓ Henedo key derivation (Argon2id): Hash-based, immune ✓ Henedo domain separation (HKDF-SHA-256): 128-bit PQ security ✓ Henedo vault signatures (ML-DSA-65): NIST FIPS 204 ✓ Asymmetric algorithms vulnerable to Shor's: RSA used by henedo: NOWHERE ECDH used by henedo: NOWHERE ECDSA used by henedo: NOWHERE X25519 used by henedo: NOWHERE Verdict: Henedo's data protection is quantum-safe today. Not planned. Shipped.
Shipped in production today
- AES-256-GCM data encryption (128-bit Grover security)
- Argon2id KEK derivation (64 MB, hash-based, immune to Shor)
- HKDF-SHA-256 domain separation
- SHA3-512 vault integrity hashes (256-bit Grover security)
- ML-DSA-65 (NIST FIPS 204) hybrid signatures on every Eternal Vault
- @noble/post-quantum v0.2.x library, audited and open
On the roadmap, in the open
Contact key delivery currently uses a classical entropy split (24 chars on the metal card + 20 chars by email). Argon2id at 256 MB keeps real-world brute force off the table even at quantum-reduced search spaces; even so, ML-KEM (NIST FIPS 203) for the email_part transport is the next step we are tracking publicly.
Most ZK competitors have not shipped any post-quantum primitives to consumers yet. We have shipped the layers that protect data at rest and Eternal Vault signatures, the layers most users care about, and we are explicit about which layers are next.
Open Verification
Open source.Reproducible. Audited.
Trust claims without verification are marketing. We publish our cryptographic code, our build process, and our audit reports so anyone can confirm that what runs in your browser matches what we describe.
Open-source cryptographic layer
The entire crypto module is published as an open-source package. Every function that derives keys, encrypts data, wraps FEKs, generates COTKs, and zeroes memory is fully readable. No obfuscation, no proprietary wrappers.
Files: aes.ts, argon2.ts, hkdf.ts, fek.ts, cotk.ts, evik.ts, session.ts, ask.ts, webauthn.ts, shamir.ts, escrow.ts, worker.ts, metadata.ts, encoding.ts
Reproducible builds with integrity verification
Every release publishes SHA-256 hashes of all JavaScript bundles. A verification CLI lets anyone clone the tagged source, build it locally, and compare output hashes against what our CDN serves. If they differ, someone tampered with the build.
Deterministic Vite builds · Pinned dependencies · npm ci · SRI (Subresource Integrity) attributes on all script tags
Third-party security audits (published in full)
Independent security firms review our cryptographic protocol, Web Crypto API usage, server-side ciphertext-only storage, and Master Key lifecycle. We publish the full audit report: not a summary, not a press release, the actual PDF.
Scope: protocol review · implementation audit · server-side verification · key management lifecycle · penetration testing
Server-side proof: database column audit
Our database schema is public. Every column that stores user data is documented: which ones hold ciphertext (EMK, EFEK, encrypted_bundle), which hold non-secret metadata (kdf_salt, IVs), and which hold plaintext (email, contact names needed for DMS operations). No hidden columns.
Tables: user_kdf_params · vault_files · journal_entries · trusted_contacts · eternal_vaults · eternal_vault_inheritors
Questions
Security FAQEverything you want to know.
Ready to start?
Your legacy isworth protecting.
Start with a free will. Upgrade when you need the vault, the M-DISC backup, or the geographic redundancy. Every tier is covered by the same zero-knowledge architecture described on this page.