Skip to content
Afterward
How it works Security Field Guide Letters Pricing
Sign in Start your binder

Trust

We hold the envelope.
We can’t open it.

Afterward is built so the only people who can read your binder are the ones you choose. Not us. Not the company that built it. Not anyone holding a subpoena addressed to us.

Below: how that works in plain language, what we do hold, and the trade-offs we made on purpose.

Read the pledge Or jump to the technical detail
A small brass key resting quietly on a folded handwritten note, in cool natural light

The pledge

  1. 01

    Your binder is sealed on your device before it ever reaches us.

  2. 02

    We do not, structurally, hold the means to open it.

  3. 03

    You can take everything with you on any plan, at any time, without our help.

The ledger

What we hold, and what we don’t.

A short, honest accounting. The left column is what sits on our servers. The right column is what never does.

We hold

  • 01

    Your sealed binder, as a closed envelope.

    We can move it, replicate it, deliver it. We cannot read it.

  • 02

    Your account email and login state.

  • 03

    When you last edited.

    No record of what you edited.

  • 04

    Your inactivity-check settings.

    How long, who to notify, whether the courtesy interval is on.

We do not hold

  • 01

    The contents of your binder.

    Not the names, not the accounts, not the documents, none of it.

  • 02

    Your sealed envelopes.

    The three things only your trusted person should ever see.

  • 03

    The keys to open any of it.

    Your device holds them. The recovery passphrase you wrote down holds them. We don’t.

  • 04

    Anyone’s access until you grant it.

Two ways your binder opens

Your phone, or the words you tucked away.

Two doors to the same room. We never made the second one optional, because the first one fits in your pocket and pockets get lost.

Door one

The phone in your hand.

When you sign in, your device proves it’s yours the same way it unlocks your banking app: your face, your fingerprint, the passcode it already trusts. From that, your binder opens.

The proof never leaves the device. We see only that the door was opened, not the key that opened it.

Used most days. Quiet, one-tap, never types a password.

Door two

A handful of words, written down.

On the day you sign up, Afterward generates twenty-four ordinary words and asks you to write them somewhere private: a safe, a wallet pocket, an envelope tucked inside a book.

Those words are the second way in. They unlock the same binder if your phone is ever lost, broken, or replaced. We do not know what they are.

Used rarely, perhaps never. There the day you need it.

Both doors open the same envelope. Not two copies of the binder, two ways to reach for it.

If something goes wrong

What happens when the phone is lost, and the harder question we won’t pretend away.

If you lose your phone

You sign in on a new device with your recovery words. Afterward verifies the words against the second door, opens the binder, and quietly enrolls the new device as another way in.

The old device, even if it’s found later, no longer holds an active key. You can revoke it from the settings page in a single tap.

If you forget the passphrase too

We can’t open it for you. Not because we won’t: because the architecture genuinely doesn’t allow it. The same property that keeps a court out is the property that keeps us out.

This is a trade-off we made deliberately. Every product that promises a way back in for the forgetful holds the means to read your data on a quiet day. We don’t want to.

The honest list

What we protect against, and what we don’t.

Every product in this category quietly hopes you don’t ask. The list below is the one we’d want you to read before you trust us with anything.

  • We protect

    A breach of our servers.

    They would find sealed binders. Without your device or your recovery words, the contents stay closed.

  • We protect

    Someone working at Afterward going looking.

    No employee, founder, or engineer can read what you wrote. The system is built so that capability does not exist.

  • We protect

    A subpoena addressed to us.

    We can hand over what we hold: sealed envelopes and account metadata. We cannot hand over what we never received.

  • We protect

    A government compelling us to open a binder.

    There is no door for us to open. We document this publicly so a court has the architecture in writing.

  • We don’t

    Your device being read while it is unlocked.

    If someone is using your phone while you’re signed in, we can’t tell the difference between you and them. Your phone passcode is your last line.

  • We don’t

    Sharing your recovery words with the wrong person.

    The words are the binder. Anyone who has them can open it. We tell you this plainly the day you make them.

  • We don’t

    A determined attacker watching your screen.

    No technology fixes shoulder-surfing. The binder’s contents are still yours to handle with care.

A paper calendar on a desk with a single quiet day marked, beside a sealed envelope

The courtesy interval

We don’t release the binder until we’re sure you can’t reach for it yourself.

If you stop opening Afterward for sixty days, we send a quiet note asking if anything has changed. A check-in, not an alarm.

If we still don’t hear from you after that, the people you named can ask to read what you left them, and you have seven days to say no. The whole interval is yours to tune longer or shorter.

Most of the time, no one ever needs this. It runs in the background like a thoughtful friend, so the binder can do what it’s there for.

A small archival packet of papers tied with linen string beside a thumb drive on a desk, ready to be carried out

If you decide to leave

Take everything you put in, the day you go.

Your binder belongs to you, not to us. At any time, you can download a complete archive: every section, every recipient assignment, every sealed envelope, in a format your family can read without our help.

The archive is sealed with your recovery passphrase, so the file in your hands isn’t legible to anyone else who gets hold of it. You hold the words; we don’t.

The day you decide we aren’t for you is the day you walk out with what you came in with. We don’t keep a copy.

The audit ledger

The work that earns the words on this page.

We did not put logos here. The category does that, and they all blur. Below is the actual schedule.

  • SOC 2 Type II

    In progress

    Audit window opened February 2026 with a regional firm specializing in consumer privacy products. Report expected mid-July.

    Target · 2026-07-15

  • Independent security review

    Selecting

    A specialist firm will review the sealed-envelope architecture and the recovery-passphrase path before v1 launch. Selection is in progress; the public summary will be linked from this page once the engagement begins.

    Engagement · pre-launch

  • Penetration testing

    Recurring

    External pen test before every named release, plus an annual full-scope test. Findings go to the engineering team and to a public changelog after remediation.

    Cadence · per release + annual

  • Security whitepaper

    In draft

    A public, plain-language description of the sealed-envelope architecture, recovery model, and threat boundaries. This is the document a court would read in lieu of asking us to open a binder we structurally cannot open.

    Publishing · with v1

For the technically curious

The same story, with the architecture in view.

Open this if you want the architecture summary, not the metaphor. It is the same story, written for a security-minded reader.

The binder key
A long random key is created on your device the moment you sign up. It seals every document in your binder. The key itself never leaves your device for our servers, not at signup, not ever.
First way in
Your device proves itself the same way it unlocks your banking app. The proof is converted into a wrapping that holds the binder key. We see only that the proof checked out, not the proof itself, and the wrapping never leaves your device unsealed. Adding a second device wraps the same binder key again, so we never have to re-seal what you already wrote.
Second way in
A 24-word recovery phrase, generated on your device the day you sign up, is run through a slow, memory-hard derivation to produce a second wrapping for the same binder key. This path is mandatory: onboarding does not finish until you confirm the phrase has been written down somewhere private.
Sealed envelopes
For the three sensitive items (your phone passcode, primary email, and password manager master), each envelope is sealed against the named recipient’s public key on your device. The sealed envelope is opaque to us. Only the recipient’s device, holding the matching private key, can open it.
Server boundary
Our servers store sealed binders, sealed envelopes, and account metadata only. No readable content moves through our infrastructure. Route handlers do not have access to user private keys; this is enforced by code review and audited end-to-end before each release.
Recovery from a single device
Lose phone, sign in with the recovery phrase, enroll the new device, and the binder key is re-wrapped for the new device. Lose both the phone and the phrase, and the binder is unrecoverable by design. This is the same trade-off Bitwarden, 1Password, and Apple Advanced Data Protection make, and we make it deliberately.

The full security whitepaper, with the cryptographic primitives named in the precise vocabulary, publishes alongside v1. If you have questions before then, write to  security@afterward.care.

Begin in five quiet minutes.

Free to start. No card. Export everything anytime, including the day you decide we’re not for you.

Start your binder