A small handful of pieces. They do a lot.
A Safe holds your content. A Recipient is who it's for. A Trigger is what fires the release. A Pending Release window gives you a last chance to cancel. Everything else flows from those four ideas.
The Safe
A logical container for one delivery. Files, photos, voice memos, video, written notes. Encrypted on your device with a unique key. The Safe owns its own recipients, its own triggers, and its own lifecycle — independent of every other Safe in your vault.
Lifecycle states: Draft → Sealed → Pending Release → Released. (A Sealed Safe with no recipients or triggers is a personal vault — it stays sealed forever unless you decide otherwise.)
The Recipient
Each Safe can have one or more recipients. They're added by email — and verified by clicking a link before they ever receive content. Each recipient has their own per-Safe wrapped key, so removing one doesn't affect the rest.
Recipients don't see your other Safes, your other recipients, or the Safe contents — until release fires and the cooling-off ends.
The Trigger
What event causes the Safe to release? Pick one or combine several. The first one to fire wins — the Safe releases all-or-nothing.
- Releasee — a trusted person you've designated can fire the Safe on your behalf using a key you've shared with them out-of-band. The piece that makes TRS unlike anything else.
- Scheduled date — release on June 14, 2030.
- Inactivity check-in — if you go quiet for X months despite reminders, the Safe begins to release.
- Manual — you fire it yourself, today, from your phone.
The Pending Release window
When a trigger fires, the Safe enters a Pending Release state — a cooling-off period before delivery. 24 hours by default. 72 hours for inactivity-based releases. You're notified the moment a trigger fires. You can cancel with one tap during the window.
Once the window closes, delivery is irrevocable. That's the explicit, intentional commitment line. We tell you exactly when it crosses.
Encryption that doesn't trust us
Every byte of content is encrypted on your device with a per-Safe symmetric key (libsodium / NaCl, AES-256 equivalent). That symmetric key is then wrapped — once per recipient — using each recipient's public key. The wrapped keys travel with the Safe. The encrypted content blob travels alongside.
Our servers see opaque ciphertext and a list of who's allowed to receive a wrapped key. We never see plaintext. We never have a master key. If a server is breached, the attacker walks away with bytes they can't decrypt.
Two-layer recovery, by design
Your sign-in password and your encryption keys are deliberately separate.
- Sign-in password: proves who you are to our server. Recoverable by email.
- Encryption keys: decrypts your Safes. Lives in your phone's secure enclave (Face ID / fingerprint-protected). Recoverable through Designees — a small trusted circle who can vote to vouch for you.
This means a forgotten password on the same phone is a 30-second fix. A forgotten password and a new phone is a Designee-recovery fix — slower, deliberately so, with a quorum requirement and a cooling-off period. No single person, including us, can hand your encrypted content to the wrong party.
Releasee-first, recovery-fallback
If you go quiet for too long, TRS doesn't immediately release content. It first reaches out to the Releasees you've designated — your spouse, your sibling, your closest friend — and lets them confirm the situation. Only if they don't respond, or if you haven't designated any, does the system fall back to the inactivity timer.
Because the human in your life is almost always more reliable than an algorithm.
For the gritty details — threat model, key rotation, what we log and what we don't — see the Security page.
The full lifecycle of a release
From the moment you tap "Create Safe" to the moment the recipient opens it.
Draft
You build the Safe. Add files, write notes, pick recipients, configure triggers. Nothing has happened yet — content is encrypted and saved, but no triggers are armed.
Sealed
You finalize the Safe. Triggers arm. Recipients are notified that a Safe exists, addressed to them, and that it'll be delivered if/when the trigger fires. They don't see contents.
Pending Release
A trigger has fired. You're notified immediately. The cooling-off window starts. A live countdown shows you exactly when delivery becomes irrevocable. You can cancel with one tap.
Released
The window closed. Recipients are notified that their Safe is open. They sign in (or create an account in 30 seconds) and the wrapped key on the server unwraps with their device key. They see the contents. You see "Released" in your audit log.