Aftr asks you to trust it with things that matter. Your vault is encrypted end-to-end. We cannot read it. Your family receives it only when a quorum of your chosen guardians confirms the time has come.
Every item you add to the Vault is encrypted using AES-256-GCM before it leaves your device. AES-256 is the same standard used by financial institutions and government agencies worldwide.
The “GCM” part stands for Galois/Counter Mode. It provides both confidentiality (no one can read the data) and integrity (any tampering is detected). If anyone were to intercept your encrypted vault, they would see only random bytes.
The encryption key is derived from your passphrase using PBKDF2, a key-strengthening algorithm. The key is computed on your device. Aftr never sees it.
“Zero-knowledge” means Aftr cannot read your vault, even if we wanted to. This is not a policy choice. It is a technical reality.
Your encryption key is derived on your device from your passphrase. Aftr stores only the ciphertext: the locked box, not the key. Our servers have no mechanism to decrypt what you have stored.
This design has a real consequence you should understand: if you forget your passphrase and lose your recovery phrase, Aftr cannot restore your vault. We have no copy of your key. The guardian quorum system exists partly to address this: your guardians hold encrypted shards that can restore access in a verified loss event.
You invite up to five Life Guardians: trusted people, typically a mix of family and friends. When the time comes, a quorum of three must agree before the vault is released.
This uses a technique called Shamir's Secret Sharing. Your vault access key is mathematically split into five shards. Any three shards can reconstruct it. Fewer than three cannot. Each shard is encrypted separately to that guardian's public key, so Aftr cannot read any shard.
The quorum requirement protects against two failure modes: a single guardian going rogue (one cannot act alone), and a single guardian becoming unavailable (you do not need all five).
The attestation process also requires a death certificate or coronial order. The quorum then votes. Only after the quorum is reached and the 72-hour dispute window closes does the vault open. At no point does Aftr initiate or override this process.
All Aftr data is stored in AWS ap-southeast-6, a New Zealand region. Your vault, your Life Story, your family tree: all of it stays in New Zealand.
We chose this deliberately. For a product that holds the sensitive records of New Zealand families, offshore storage felt wrong. Your data is subject to New Zealand law, not the laws of a foreign jurisdiction.
Aftr Limited is bound by the New Zealand Privacy Act 2020 and the twelve Information Privacy Principles (IPPs) it sets out. A detailed description of how we handle your personal information is in our Privacy Policy.
Key points:
You can export everything in your vault at any time. If you cancel your membership, or if Aftr ever closes, you receive a full export window. Annual members receive at least one year's notice.
The vault export includes your encrypted data in a documented format. You are never locked in.