Choosing a provider

Questions to ask anyone who holds your legacy

Including us. Whatever you choose (a service, a lawyer, a fire safe), these six questions separate architecture from marketing. Any provider worth decades of your trust should answer all of them in writing.

1. If the company disappears tomorrow, can my family still recover everything?

Why it matters. Any service in this category asks you to trust it for decades. Companies rarely last decades. If the honest answer is "no," everything else on this list is decoration.

Our answer. Yes, by design and by proof. The vault uses open formats (SLIP-39, age, tar), the recovery tool is one open-source file mirrored in four places, and recovery runs offline with no AmberKey involvement. The complete answer, with verification steps, is the continuity page.

2. Can employees, or a subpoena, read what I stored?

Why it matters. Anything a provider can read, an attacker, an insider, or a court order can read too. "We take security seriously" is not an architecture.

Our answer. No. Everything is encrypted on your device before it reaches us; the server holds ciphertext, contact routing, and timestamps. What a subpoena can get (and the metadata it would reveal) is itemized honestly in the threat model.

3. Do the people I trust need an app, an account, or a payment?

Why it matters. Your circle might include a 74-year-old parent and an attorney. Every app they must install and keep updated for years is a point of failure you cannot see.

Our answer. No. Circle members hold a printed card and get an email link when something needs them. No installs, no accounts, no charges. Ever, including during recovery. how it works.

4. Could anyone get in early, while I am still alive?

Why it matters. A single trusted person with standing access is a coercion and betrayal risk. So is a provider who can be talked into "helping" someone with a convincing story.

Our answer. No single person can. Recovery needs enough cards from enough groups, only after repeated missed check-ins, and it starts a waiting period during which one tap from you cancels everything. Collusion by your whole quorum is the honest residual risk, and we say so in the FAQ.

5. Are the formats open, so recovery still works in twenty years?

Why it matters. Proprietary vault formats are a bet that one company outlives you. File formats outlive companies only when they are public specifications with independent implementations.

Our answer. Yes. SLIP-39 secret sharing, age v1 encryption, tar archives: each has multiple independent implementations that can do the recovery without any AmberKey software. Specs and code are open source.

6. What happens when I stop paying?

Why it matters. A legacy service that turns into a hostage-taker at the first failed charge protects the company, not your family. Read the lapse policy before the marketing.

Our answer. The watch continues for twelve more months, your bundles stay downloadable, and your printed cards and the offline tool never expire. Leaving is free because we never hold anything you cannot take with you. Details on the pricing page.

Use this list against us first. Every claim above links to the page that proves it, and the recovery-critical parts are open source, so you don't have to take our word for any of it. If another provider answers all six well, they deserve your consideration too.