How Exit Protocol works

Think of it as a safe deposit box with a timer. Everything you put inside is encrypted in your browser before it ever reaches the server, using a key that only you hold. The server stores ciphertext it cannot read.

The “exit” part is the dead man's switch: a recurring check-in you confirm on a schedule you choose. Miss enough check-ins — through several reminders and warnings — and the vault is automatically delivered to the recipients you nominated. It's built for estate planning, emergency access, and handing off critical credentials if something happens to you.

Creating your vault (3 steps)

1. 1
   Verify your email

   Enter your email and we send a 6-digit code. No account exists until you confirm it, so typos can't lock you out.
2. 2
   Enter the code

   Type the code from your inbox. It expires after a few minutes for security.
3. 3
   Set a master password

   Choose a strong password (12+ characters, mixed case, a symbol). A strength meter guides you. This password is stretched into your encryption key right here in the browser — it is never transmitted.

Unlocking and locking

To return, choose Unlock and enter your email and master password. Your key is re-derived locally and the vault opens in that browser only. Use the Lock button (top-right) whenever you step away — locking wipes the key from memory, so anyone at your screen sees nothing.

A vault is a container for related secrets. You can hold several. Inside each vault you store typed items:

• Credentials

  Logins for email, social accounts, password managers, servers, crypto wallets and more — with structured fields, masked passwords, and slots for 2FA backup codes.
• Notes

  Free-form encrypted text — instructions, recovery phrases, a letter.
• Files

  Any file, encrypted in the browser and uploaded as an opaque blob. Each account has a storage quota for encrypted bytes.

Every item's title, fields, notes and file contents are encrypted with that vault's key before upload. The server only ever holds ciphertext — it can't tell a banking password from a grocery list.

A recipient is someone who should receive a vault on delivery. You add them per-vault with a name and email. When you do, the app generates a unique random Delivery Key for that recipient and uses it to wrap (re-encrypt) the vault key — entirely in your browser.

That wrapped copy is what makes hand-off possible without ever exposing your master password. Each recipient gets their own key, so you can revoke one without affecting the others. Revoked recipients are skipped at delivery time.

The switch escalates in stages. At any point before the final step, a single check-in resets everything back to active. You configure four windows on the Switch page:

• Check-in interval — how often you must confirm you're around.
• Stage 1, 2, 3 grace — the days between each escalating reminder once a check-in is missed.
• Emergency contacts — up to two optional people notified at stage 2 as a backstop.

Total time before delivery = interval + stage 1 + stage 2 + stage 3 days.

The timeline, step by step

1. Active

   You're checking in on schedule. Nothing happens. The countdown shows your next due date.
2. Check-in due (Stage 0)

   You passed the interval. We email you a reminder and open the Stage 1 grace window.
3. Stage 1 overdue

   Still no check-in. A firmer reminder goes out and the Stage 2 window opens.
4. Stage 2 — final warning

   Emergency contacts are now notified too. The Stage 3 window — your last chance — opens.
5. Triggered

   Stage 3 elapsed. The switch fires and delivery begins.
6. Delivered

   Each active recipient is emailed a unique, time-limited delivery link.

Check-ins, escalations and delivery are all recorded in the audit log so you have a tamper-evident history of every state change.

When the switch triggers, a background job issues one single-use link per active recipient and emails it to them. Here's the recipient's experience:

1. 1
   They open their link

   The link is cryptographically signed and tied to that one recipient. Used or expired links stop working.
2. 2
   They request a code

   A 6-digit verification code is emailed to confirm they control the address.
3. 3
   The vault decrypts in their browser

   After the code checks out, the server hands over the wrapped vault key and the recipient's Delivery Key. They're combined locally to unlock the vault — decryption happens only in their browser, never on the server.
4. 4
   They save what they need

   Items render with labelled fields and masked secrets. They can copy values, download individual files, or grab everything as a single zip (all files plus a plaintext details file). The link won't work again afterward.

You can rehearse this safely: an owner-initiated test delivery routes the verification code to you, the owner, instead of the real recipient — so you can confirm the whole flow works without anyone else being involved.

Exit Protocol has one paid plan: £15 / $15 / €15 per year (localised at checkout, plus any applicable tax). Everything that involves only you is free forever:

• Free — create an account, store unlimited credentials, notes and files, configure the dead man's switch, and send yourself a test unlock email to rehearse the retrieval flow.
• Subscription — everything that delivers your vault to other people: adding recipients and the automatic delivery itself.

Payments are handled by Paddle, our merchant of record — we never see your card details. You can subscribe, renew, change your payment method or cancel from the Billing page.

Cancelling doesn't cut you off early: delivery stays enabled until the end of the year you already paid for.

Exit Protocol is zero-knowledge: the server is designed so it cannot read your secrets even if fully compromised. Here's the chain of keys, all built in your browser.

How your key is derived

1. 1
   Master password → Stretched Master Key

   Your password (salted with your email) is run through Argon2id (64 MB memory, 3 iterations, 4 lanes) — a deliberately slow, memory-hard function that makes brute-forcing impractical.
2. 2
   HKDF → Encryption Key + Auth Token

   That stretched key is split with HKDF into two independent values: an Encryption Key that never leaves your device, and an Auth Token used only to prove who you are.
3. 3
   Random Vault Key encrypts your data

   Each vault has its own random Vault Key, used with AES-256-GCM to encrypt every item. The Vault Key itself is stored server-side only after being wrapped by your Encryption Key.

Other safeguards

• Sessions use short-lived signed JWTs; locking discards your in-memory key immediately.
• Delivery links are HMAC-signed, single-use, time-limited, and gated behind a second email code check.
• Delivery keys at rest are themselves AES-256-GCM encrypted on the server.
• Recipient decryption happens entirely in the recipient's browser — the plaintext never touches the server.

Quantum resistance

A common worry for anything you expect to protect data for decades: will a future quantum computer break it? For Exit Protocol the answer is reassuring, and it comes down to the kind of cryptography we chose.

The headline quantum threat — Shor's algorithm — breaks asymmetric crypto like RSA and elliptic curves. Exit Protocol doesn't use those to protect your data at all. Every key that guards your vault is symmetric (AES-256-GCM) or a one-way function (Argon2id, HKDF, HMAC-SHA256). The best known quantum attack on those, Grover's algorithm, only halves their effective strength — leaving AES-256 at a still-unbreakable ~128-bit security level. So your stored secrets stay safe.

Want the engineering-level detail — exact parameters, the delivery escrow design, and what every breach scenario would actually yield? Read the full technical security breakdown.