SECURITY MODEL
We built this so we cannot read your letters. Even if we wanted to.
[01] CLIENT-SIDE ENCRYPTION
Your message is encrypted in your browser before it leaves your device. We receive only ciphertext — a meaningless sequence of bytes without your key.
Encryption: AES-256-GCM. Key generation: WebCrypto API (native browser).
[02] KEY DELIVERY — WE NEVER SEE YOUR KEY
● TIME UNLOCK:Your key is embedded in the URL fragment (#key=...). URL fragments are never sent to servers by design — HTTP specification.
● PASSPHRASE:Your key is derived from your passphrase via PBKDF2 (250,000 iterations). The passphrase never leaves your device. We store only a random salt.
● RANDOM STRANGER:Key is embedded in the delivery link generated client-side.
● EMAIL DELIVERY:If you designate an email recipient for dead man's switch trigger, that address is encrypted server-side using AES-256-GCM before storage. We use a server-held secret for this encryption — meaning we could theoretically decrypt recipient addresses if compelled to. We store no plaintext email addresses at any point. Recipient addresses are deleted alongside the letter upon delivery or expiry.
[03] ONE-READ ENFORCEMENT
The moment a recipient fetches your payload, it is scheduled for deletion. Opening the same letter twice returns HTTP 410 — Gone. We do not keep copies. There is no archive.
[04] EPHEMERAL STORAGE
Payloads are stored encrypted in Cloudflare Durable Objects. Every letter has a hard expiry — maximum 90 days. Expired letters are deleted automatically by a server-side alarm. We do not have a database. There is no "user table".
[05] NO ACCOUNTS, NO LOGS
DeadLetter has no login system. We do not know who you are. We do not log IP addresses beyond what Cloudflare's infrastructure requires.
[06] THREAT MODEL — WHAT WE CANNOT PROTECT AGAINST
+--------------------------------------+-----------------------------------------------------------------+ | THREAT | PROTECTED? | +--------------------------------------+-----------------------------------------------------------------+ | Server compromise | ✓ Yes — only ciphertext stored | | Key in URL intercepted (HTTPS MITM) | ✓ Yes — HTTPS prevents this / Hash fragments stay client-side | | Recipient's device compromised | ✗ No — out of scope | | Browser extension reading DOM | ✗ No — client-side trust boundary | | Legal compulsion to retain data | ✓ Partial — nothing to retain, but we'd comply with orders | +--------------------------------------+-----------------------------------------------------------------+
[07] KEEP THE LIGHTS ON
Running a zero-knowledge service costs money we don't make from your data. DeadLetter has no ads. No tracking. No investors.
Infrastructure costs are real: Cloudflare Workers process every sealed letter, every ping, every delivery. They charge per request — and we pay so you don't have to register.
If DeadLetter has been useful to you — a cathartic draft, an insurance policy, a letter to your future self — consider buying us a coffee.
100% goes to Cloudflare bills and caffeine. Nothing else.
[08] EMAIL DELIVERY
When a dead man's switch triggers, DeadLetter uses Resend (resend.com) to deliver a notification email to your designated recipient. The email contains a one-time link — not the decrypted content. Your message remains encrypted until your recipient opens the link and provides the correct passphrase or follows the key link.
Resend processes the delivery. Their privacy policy applies to the act of sending. We pass only: recipient address, letter ID, and a delivery URL. No message content is ever transmitted to Resend.
This security model is honest, not absolute. For life-critical secrets, consult a security professional.
DeadLetter is not a substitute for legal counsel or professional whistleblowing channels.