patrimo

A letter on continuity

For the next twenty years.

A vault is only as useful as its ability to outlive whoever set it up. The notes below are a quiet, plain answer to the worries that come up when you start trusting one with the things that matter most to you. We have tried to write them the way we would want them written if we were on the other side of this conversation.

“What if I forget my master password?”

Your master password derives the key that decrypts your vault, and we never see it. If you forget it, no support call from us will recover it for you. We answer this in two ways. A 24-word recovery seed, generated on signup and shown to you only once, can re-derive the same vault key when you set a new password. And from Settings, you can download a complete encrypted backup of your vault any time, to keep on a USB drive or in a safe-deposit box. With your password and that backup, your data is yours forever, even without us.

“What if your servers are compromised?”

We never see the contents of your vault. Everything you save is encrypted in your own browser, with your master password, before it ever reaches our server. We see only ciphertext. Even an attacker with full access to our servers cannot read what is inside any account. This is what “zero-knowledge” means in practice, and it is the design principle the rest of the service is built around.

“What if something happens to the person running Patrimo?”

This is the question that worries us most, because it is the one most digital legacy services answer poorly. Our answer has three parts.

A written handover document is in place that lets a named successor maintain the service long enough for users to retrieve their vaults or migrate elsewhere. The successor cannot read anyone’s vault. Their job is simply to keep the lights on.

Every trusted contact you nominate receives a printed Legacy Access Code: 24 words on a sheet of paper, kept in their own safe place. That code is what unlocks their scoped portion of your vault on release. The code travels by paper, never over email or the internet, and it works even if Patrimo as a service has stopped existing.

A written guide ships with the service that lets a technically-comfortable family member spin up a personal copy of Patrimo on any modern laptop, using your encrypted backup. It is a last-resort path, but it is a path.

“What if you send a wellness check while I am still alive?”

We try very hard not to surprise you. Before any contact of yours is ever notified, we send you two private heads-up emails: one fourteen days before, and one the day before. If you sign in and check in, the timer resets and nothing else happens. If a contact raises a concern manually, you have a seven-day grace period to cancel. The whole mechanism is biased toward giving you as many chances as possible to say “I am here”.

“What about the boring operational things?”

The web address auto-renews each year, with a backup card on file. The HTTPS certificate that puts the padlock in your browser also renews automatically. The whole service is backed up daily, with thirty days of history, so an operator mistake can be rolled back. Once a year, we email you a quiet summary of every scheduled release on your account, so you can edit, cancel, or extend anything that no longer fits your wishes. None of this is heroic. It is simply what a service worth twenty years of trust ought to do.

One thing we are still working on.

Native iOS and Android apps. Patrimo already works fully in any phone’s browser today, and your vault is just as safe there. Native apps are a comfort upgrade, not a missing piece of vault safety.

We would rather under-promise than break a twenty-year promise. This page is updated whenever any commitment moves from “working on” to “in place”.

Last reviewed 20 May 2026.