🔐 Trust & Security

When families store important memories, documents, and legacy materials, trust has to be earned — not assumed. This page explains exactly how IOULegacy protects your data, who can access it, and what controls you have.

🔐 Zero-Knowledge Encryption

When you enable encryption, your data is encrypted and decrypted entirely on your device using a passphrase that only you know. The server never sees your plaintext content or your passphrase.

🔑
Client-Side Encryption
AES-256-GCM encryption runs in your browser using the Web Crypto API. Your passphrase never leaves your device.
🔀
Key Splitting
Your encryption key is split into three shares using Shamir's Secret Sharing. Any two of three shares can recover your key — no single point of failure.
🚫
We Cannot Read Your Data
Because encryption happens on your device, we have no ability to decrypt your content. Even if our servers were compromised, your encrypted data remains unreadable.

🔒 Sealed Capsules & Tamper Protection

Legacy capsules are designed to be permanent once you seal them. Here is how that works:

🔏
Digital Fingerprint
Every capsule gets a unique SHA-256 hash when sealed. If even one character changes, the fingerprint changes completely. Nobody — not even us — can alter your capsule without detection.
🔒
Sealed = Locked Forever
Once sealed, content, attachments, and recipients are frozen. The digital fingerprint proves nothing was changed. You can verify this at any time.

📑 Tamper-Proof Audit Trail

Every action in your vault is recorded in a tamper-proof audit log. Each entry is linked to the previous one using SHA-256 hashing — the same concept behind blockchain verification. If anyone attempted to alter or delete an entry, the chain would break and the tampering would be immediately visible.

You can verify the integrity of your entire audit chain at any time from within the app.

🕔 Release Rules — You Decide When

Your capsules are delivered on your terms. You set the rules, and the system follows them.

📅
Date-Based
Release on a specific date you choose — a birthday, anniversary, or any date that matters.
🕰
Inactivity
If you do not log in for a period you define, your capsules are released to your designated recipients.
👥
Multi-Party Verification
Require trusted contacts to confirm before release. No single person can trigger delivery alone.
Manual
Release a capsule yourself whenever you are ready. You are always in control.

👥 Access Control & Data Isolation

Your data is stored in its own isolated partition. There is no shared database where one user's data could accidentally be visible to another. Each account is completely separate at the infrastructure level.

Only you can see your capsules, documents, and photos. Recipients see only the specific capsules you addressed to them — and only when your release rules trigger.

🛡 Infrastructure & Hosting

Active
AES-256 at Rest
All files encrypted on disk
Active
HTTPS / TLS
All connections encrypted in transit
Active
WAF Protection
OWASP & SQL injection rules
Active
AWS Hosting
U.S.-based data centers

👁 Our Privacy Commitment

No third-party analytics. We do not collect or share browsing or usage analytics data.

No data selling. We will never sell, rent, or share your personal information with advertisers or data brokers.

No AI training on your data. Your content is never used to train AI models. AI features process your content only when you ask them to, and nothing is retained.

Minimal data collection. We collect only what is needed to run your account: your name, email, and the content you choose to store.

📦 Data Continuity

We take long-term preservation seriously. Your data is stored using cloud infrastructure designed for durability. You can export all of your data at any time in a standard format. For more details, see our Data Continuity policy.

💬 Questions?

If you have questions about how your data is protected, contact us at support@ioutoday.org or visit our Support page.

IOULegacy is operated by IOUMore, LLC. Free legacy programs are provided through IOU, Inc., a registered 501(c)(3) non-profit (EIN 81-2203628).