Security at Memoari

Every document, message, and piece of sensitive data you store in your vault is encrypted using AES-256-GCM before it is written to our database. This is the same standard used by the US National Security Agency for top-secret information and by every major bank in the world.

Encryption happens before your data is stored. When you retrieve it, it is decrypted for display and then discarded from memory. At no point does unencrypted data rest on our servers in a retrievable form.

When you store a password or account credential in your digital asset vault, it is encrypted on your device before being transmitted to our servers. We receive only ciphertext — we never see the plaintext password.

This is called a zero-knowledge architecture: even Memoari staff with full database access cannot read your stored passwords. If you forget a stored password, we cannot recover it — because we never had it. This is by design.

Our database uses Supabase Row Level Security (RLS). Every query is filtered at the database level by your authenticated user ID. Even if an attacker bypassed our application layer, they could only retrieve rows belonging to their own authenticated session.

RLS policies are written in SQL and enforced by the database engine, not our application code. This provides a defence-in-depth guarantee that is independent of our API logic.

When a beneficiary receives access to your vault, we issue a one-time cryptographic access token. These tokens are time-limited, single-use, and generated using a cryptographically secure random number generator.

Tokens cannot be guessed by brute force — they are 256 bits of entropy. Once used, a token is immediately invalidated. Links cannot be shared or reused. Every access is logged with a timestamp and the requestor's identity.

All communication between your browser and Memoari's servers uses TLS 1.2 or higher. We enforce HTTPS on all endpoints, redirect HTTP to HTTPS, and use HTTP Strict Transport Security (HSTS) headers.

We achieve an A+ rating on SSL Labs. Our TLS configuration disables known-vulnerable cipher suites and supports only modern, forward-secret key exchange.

You can revoke any beneficiary's access at any time, change your unlock contacts, modify death-trigger conditions, and lock your entire vault instantly from any device.

Memoari staff have no administrative override for vault contents. We cannot open your vault on your behalf, read your documents, or override your contact designations. Your vault is yours.