Keepsake
See Your Life

Trust & Privacy

Your record.
Your keys.

Born of clinical culture, Keepsake was built around the structural constraint that we cannot read your archive. What follows is a complete account of how that constraint works, and who verifies that we honour it.

Architecture

Private by design.
Yours to keep.

When your implant captures an experience, it encrypts the data before it leaves your body. Your unique keys to unlock that data are generated inside your implant's hardware security module, or HSM. This is a tamper-resistant chip that does not expose key material to any external process, even our own firmware.

What reaches our servers is a series of encrypted blobs. We can store them, replicate them so they don't get lost, and return them to you on request. We cannot decrypt them. A subpoena served on Keepsake would yield nothing readable, and a breach of our servers would expose nothing interpretable. It is impossible to reverse this without your participation, even through a software update.

Your search queries are processed using a zero-knowledge proof scheme. Your interface constructs a proof that a query matches an index entry without revealing the query's itself to our servers. Every bit of content stays your own.

01
On-implant encryption

Sensory data is encrypted inside the hardware security module before transmission. Key material never leaves the HSM in readable form.

02
Encrypted transmission

Encrypted blobs are transmitted over TLS 1.3 to Keepsake's infrastructure. The transport layer adds a second encryption envelope.

03
Server-side storage

Our servers store only encrypted blobs. No index of plaintext. No metadata visible to Keepsake staff. Storage is audited quarterly.

04
User-held recovery key

A recovery key is generated at setup and given to you. Keepsake does not retain a copy. Loss of implant and recovery key means loss of access.

05
Zero-knowledge search

Search queries are resolved via ZK proofs and homomorphic encryption. Your query never reaches our servers in plaintext. Results are decrypted on your device.

Certification

We're audited annually,
Published in full.

We received our first ISO/IEC 27001 certification in 2019 from Bureau Veritas, a global leader in testing, inspection, and certification. The standard addresses information security management, including access controls, incident response, change management, and supplier relationships. This audit is repeated every twelve months, and reviewed by The Board.

As an example, in 2021, an audit identified a side-channel risk in key derivation during firmware updates. The finding was assessed as low-severity but disclosed proactively in our annual transparency report after remediation was complete.

Certification Record
Standard
ISO/IEC 27001:2022
Certifying body
Bureau Veritas Certification
Initial certification
September 2019
Current cycle
October 2023 – October 2024
Scope
Neural recording infrastructure, Vault storage, key management systems, and all supporting software
2021 finding
Side-channel risk in key derivation during OTA firmware updates (remediated December 2021; disclosed proactively October 2021)
Audit findings since 2022
None
Independent Oversight Board

Our Board is a
Genuine authority.

The Independent Oversight Board was established in 2016 in response to growing scrutiny of the lifelogging category following several high-profile data breaches at smaller competitors. It was not established as a reputational gesture. It was established because the founders understood that a company holding 350 million people's lived experiences cannot self-govern its way to being trustworthy.

The Board has genuine authority: it can compel internal audits without prior notice, publish its findings without Keepsake's editorial review or approval, recommend product holds that the company is legally obligated to consider under our PBC charter, and access any system or record it deems relevant to its mandate. Board members are compensated independently of Keepsake's financial performance to eliminate incentive misalignment.

TV
Portrait of Tobias Veith
Tobias Veith (he/him)
Chair
Co-founder, Keepsake PBC

Veith stepped back from the CTO role in 2022 to chair the Board full-time, a transition he described as "the most important thing I can do now." His position as a founder with genuine technical authority gives the Board standing it would not otherwise have.

PO
Portrait of Dr. Patricia Osei
Dr. Patricia Osei (she/her)
Bioethics
Georgetown University, Kennedy Institute of Ethics

Dr. Osei has published extensively on the ethics of cognitive enhancement and prosthetic memory. She joined the Board in 2016 at its founding and has authored two of its five public findings.

MF
Portrait of Marcus Finley
Marcus Finley (they/them)
Civil Liberties
Former Director, ACLU Technology Project

Finley spent twelve years at the ACLU litigating surveillance and privacy cases. They joined the Board after reviewing Keepsake's zero-knowledge architecture and concluding it was "so cmpletely different from what I usually see."

YN
Portrait of Dr. Yuki Nakamura
Dr. Yuki Nakamura (she/they)
Neuroscience
Stanford Memory Lab

Dr. Nakamura studies the role of episodic memory in identity formation and psychological resilience. They provide the Board with independent scientific review of Keepsake's neural recording and indexing claims.

RP
Portrait of Reena Patel
Reena Patel (she/her)
Privacy Law
Former Senior Attorney, FTC Division of Privacy and Identity Protection

Patel spent nine years at the Federal Trade Commission enforcing data privacy law. She joined the Board in 2018 and led the review that resulted in the 2021 critical finding disclosure.

JK
Portrait of James Kuyper
James Kuyper (he/him)
Patient Advocacy
Memory Disorders Alliance

Kuyper represents the patient community from which Keepsake's technology emerged. His role is to ensure that the Board's decisions remain grounded in the interests of users who depend on the Vault for medical reasons.

Data sovereignty

What you own. What we can't do.

You own
  • Your complete archive, in its entirety, at any time
  • The cryptographic keys that decrypt your archive
  • The right to permanent deletion, verifiably executed
  • The right to export your full archive in an open format
  • The right to transfer your archive to a successor service
We cannot do
  • Read, process, or analyse your archived experiences
  • Sell, license, or share your data in any form
  • Comply with a data request we technically cannot fulfill
  • Retain data after confirmed deletion beyond 30 days
  • Use your archive for training any model or system

Note on deletion Permanent deletion means permanent. Because our architecture is zero-knowledge, we have no way to recover an archive after confirmed deletion. We will ask you to confirm three times before proceeding. We will send you your recovery key as a reminder. We are required by our PBC charter to inform you of this consequence before you act.

Transparency

Annual oversight reports.

The Independent Oversight Board publishes an annual report covering the year's audit activities, any security findings, its recommendations to Keepsake, and Keepsake's response to each recommendation. These reports are published without Keepsake's editorial approval. What the Board found and what we did about it is below.

Year
Published
Findings
Recommendations
Status
2025
March 2026
0
2
Published
2024
February 2025
0
2
Published
2023
March 2024
0
3
Published
2022
February 2023
0
1
Published
2021
January 2022
1
4
Published
2020
March 2021
0
2
Published
2019
February 2020
0
2
Published

Full report PDFs are available at the link below. Reports are published by the Board and are not hosted by Keepsake.

Download transparency reports (board.keepsake.com) →

"The record belongs to the person who lived it. Always."

Maren Solberg, Cambridge, MA, 2009

See Your Life