Security First
Privacy-First, by Design
Every feature in MissCaps was built around a single principle: your content must be mathematically inaccessible to anyone who shouldn't have it.
Only you — and your designated recipients — can ever read your capsules.
Our servers hold ciphertext. Our engineers cannot decrypt your content, even under legal compulsion. This isn't a policy — it's a mathematical guarantee built into the architecture.
Missed Contact Switch
Automatic delivery when you go missing
Set your "miss days" — the threshold between your last check-in and when capsules are delivered. Choose from 7, 14, 30 days, or any custom value ≥ 3 days.
The system sends a warning email one day before the threshold. If you still don't check in, delivery begins. An optional Secondary Confirmer can review the situation before final delivery, preventing false triggers.
Once triggered, each recipient receives a secure 6-character delivery link via email or SMS. The link works in any browser — recipients don't need the app.
At a glance
- Configurable miss days (3–∞)
- Warning email 24 h before trigger
- Optional secondary human confirmation
- Per-recipient unique delivery links
End-to-End Encryption
Your content is encrypted before it leaves your device
When you activate a capsule, a random 256-bit Content Encryption Key (CEK) is generated in memory on your device. All content — text, images, and video — is encrypted with AES-256-GCM before upload. The ciphertext reaches our servers; plaintext never does.
The CEK itself is wrapped with your RSA-2048 public key, and for each recipient a separate copy is wrapped with a key derived from their verification answer (PBKDF2 + AES-GCM). This means multiple recipients can each independently unlock content with their own answer.
Your private key is protected by a 6-digit privacy PIN. The PIN derives a key via PBKDF2 (SHA-256, 100,000 iterations), which is used to AES-GCM-encrypt the private key. This encrypted blob is the only private-key material we store.
When you set a Privacy PIN, the app generates 8 one-time recovery codes. If you ever forget your PIN, you can use a recovery code to reset it without losing any data — the recovery process re-encrypts your private key entirely on-device. Our servers never see your PIN or the plaintext private key at any point.
At a glance
- AES-256-GCM content encryption
- RSA-2048 key wrapping
- PBKDF2 (100k rounds) PIN derivation
- Server never holds plaintext or PIN
- 8 one-time recovery codes for PIN reset
- Recovery re-encrypts on-device — zero server knowledge
Blockchain Proof
Tamper-proof integrity via Solana Memo transactions
When you save a capsule, we compute a SHA-256 fingerprint of the title, content, and all file hashes. This proofHash is written to the Solana blockchain as a Memo transaction, creating an immutable timestamp.
Recipients can click the verification badge on their delivery page to open the transaction on Solana Explorer. The app re-computes the fingerprint locally and compares it to the on-chain value — any tampering breaks the match.
File bytes can also be re-downloaded and independently hashed. If CORS prevents direct download, the hash-consistency check (title + content + stored file hashes) still provides strong integrity guarantees.
At a glance
- SHA-256 fingerprint on Solana
- Publicly verifiable transaction
- Recipients verify independently — no trust required
- Blockchain timestamp proves creation date
Zero-Knowledge Server
The server stores ciphertext — nothing else
Our architecture is designed so that even a full database breach reveals no plaintext. The server stores: bcrypt(privacyPinHash), the AES-GCM-encrypted private key, and the RSA-encrypted CEK for each capsule. None of these can be decrypted without your privacy PIN.
At a glance
- PIN never transmitted to server
- Private key stored only encrypted
- Server-side content is mathematically unreadable
- Recipient keys independent of PIN
Secondary Confirmer
A human safety net before delivery
Designate one trusted person as your Secondary Confirmer. When the miss-days threshold is reached, instead of immediately triggering delivery, MissCaps sends your confirmer a unique verification link.
Your confirmer sees how many days since your last activity and can take one of two actions: Confirm Missing (triggers all capsule deliveries immediately) or All Is Fine (resets your last-activity timestamp, as if you just checked in).
If your confirmer doesn't respond within the configured wait period (1, 3, or 7 days), delivery proceeds automatically — so a non-responsive confirmer doesn't block the system.
At a glance
- Optional per-account configuration
- Confirmer receives an email or SMS
- Choose 1, 3, or 7 day wait window
- Auto-triggers if confirmer doesn't respond
Ready to Secure Your Memories?
Download MissCaps for free and create your first capsule in minutes.