Frequently Asked Questions

Kintity uses a "Blind Escrow" model via Envelope Encryption. Your records are encrypted locally on your device using AES-256-GCM before the payload is transmitted to our servers. The unique key used to encrypt your data is then wrapped by enterprise-grade hardware security modules. We store only ciphertext and wrapped keys. Without proper authorization through our strict release protocol, the data remains mathematically meaningless.

Each record in your vault is encrypted with a unique Data Encryption Key (DEK) generated on your device. That DEK is securely transmitted to our backend for a fraction of a second, where it is wrapped under a unique Key Encryption Key (KEK) dedicated specifically to you and stored inside a dedicated, high-security key management system. We store the wrapped DEK and the encrypted payload. This ensures your key management is handled by world-class infrastructure while keeping the process frictionless for your beneficiaries.

Attackers would obtain encrypted ciphertext and wrapped keys. They cannot decrypt your records because the actual key unwrap operation is strictly enforced by programmatic access policies and requires verified, authenticated user sessions. The architecture leverages top-tier cloud security to ensure a database breach does not result in a data leak.

No. Kintity employees only have access to our servers, which hold ciphertext and wrapped keys. Access to the Key Management System required to unwrap those keys is governed by strict programmatic IAM roles tied to automated user and beneficiary authentication workflows. Manual decryption by employees is impossible.

We do not use master passwords. Identity is handled entirely by passwordless authentication protocols, and your vault encryption is managed transparently via our key management system. This eliminates the risk of you forgetting a master password and losing your entire vault.

Your encrypted records are stored on geographically distributed, enterprise-grade infrastructure. Kintity uses redundant storage with write-ahead logging and point-in-time recovery to prevent loss. For additional redundancy, large encrypted file attachments are stored in a separate object-storage system with independent replication. At no layer is plaintext stored or accessible.

Passwords are one of the most reliably weak links in digital security. Kintity eliminates passwords entirely. Instead, identity is established through passkeys (fingerprint, face, or device PIN) with sign-in links sent to your verified email as a fallback, backed by an enterprise-grade identity provider. This protects against password reuse and credential stuffing.

We offload all identity and authentication to a world-class identity provider. This means your login sessions, passkeys, and sign-in links are secured by the same infrastructure that protects billions of accounts worldwide.

Because we use standard, world-class identity providers, you can rely on standard account recovery procedures to regain access to your email. As long as you can access your primary email address, you can access your Kintity vault.

No. One of the primary reasons we use the Envelope Encryption escrow model is so that your beneficiaries do not need to manage complex cryptographic keys. They simply authenticate using the email or phone number you registered for them, and our system securely manages the decryption delivery automatically.

While sign-in links are highly secure, we strongly recommend securing your personal email account with a passkey or hardware security key. Access to your primary email constitutes access to your identity in the Kintity system.

Yes. Passkeys are the primary sign-in method on Kintity. Your passkey uses the WebAuthn standard and binds your login to your physical device via fingerprint, face, or PIN. Every new account is required to register a passkey during onboarding.

Kintity is designed for sensitive personal and financial records: bank account details, insurance policies, investment and demat accounts, loan documents, property deeds, vehicle documents, business agreements, digital credentials, identity documents, medical instructions, and private notes and letters. Essentially anything that a trusted person would need access to if you were unavailable.

Yes. Each vault record supports encrypted file attachments—PDFs, images, scanned documents, and similar formats. Files are encrypted on your device before upload, stored as ciphertext in our object storage, and versioned. You can update or replace attachments at any time.

Yes. Records are versioned. When you update a record, a new version is created and encrypted. Kintity retains previous versions for a configurable period so you can review historical entries. Only the latest version is surfaced to beneficiaries during a release.

No. Document preview and content indexing require server-side decryption, which is architecturally impossible on Kintity. Your files are stored and served as encrypted bytes. The platform never parses, OCRs, or reads the content of your attachments.

Record and storage limits depend on your plan. Refer to the Plans page for current limits. All plans include meaningfully generous storage for typical personal and financial record sets. If you have enterprise-scale requirements, contact us at enterprise@kintity.com.

Yes. Records are typed by category (financial, identity, insurance, credential, legal document, etc.) and can be tagged and labelled for your own organisation. Categories also determine the default release protocol applied—high-sensitivity categories like financial and credential records require additional verification before release.

From the Beneficiaries section of your vault dashboard, you can add a beneficiary by their name, verified email address, and phone number. You then map specific records to each beneficiary. A beneficiary only sees records explicitly mapped to them—they have no visibility into the rest of your vault.

Yes, and this is one of the core design principles of the platform. Record-level mapping means you can share your insurance policy with your spouse, your business agreements with your business partner, your investment accounts with your adult children, and your private letter with whomever you choose—independently and without cross-visibility.

Kintity supports several release triggers. The primary trigger is a missed heartbeat: a scheduled liveness check that you respond to periodically. If you miss a configurable number of checks, the platform marks your account for release review and initiates the verification workflow. You can also configure time-lock triggers and manual release requests. All triggers are configured by you, in your dashboard.

A heartbeat check is a periodic notification sent to you—by email or phone—asking you to confirm you are active. The check interval, the number of missed checks before escalation, and the escalation contacts are all configured by you. This mechanism ensures that inactivity over a meaningful period initiates the continuity process, rather than requiring an external event like a death certificate.

Beneficiaries must complete a verification flow before accessing released records. Depending on the vault record type, this may involve confirming their identity through their registered contact details, completing an identity verification step, or providing a claim code generated by your vault configuration. High-sensitivity record types require more stringent verification. No released record is accessible without successful verification.

Yes, at any time before a release is triggered. You can add, remove, or modify beneficiary mappings, update contact details, and change which records are assigned to whom. Once a release has been completed and records delivered, revocation of that specific delivery is not possible, though you can prevent future releases.

Kintity maintains an immutable audit log of all release events, including timestamps, verification steps completed, delivery confirmations, and any errors. For disputes, contact our support team with the claim details. We can provide the audit trail to verify what was sent, when, and to which verified contact.

Your audit log is an immutable, time-stamped record of every significant action in your account: logins, failed login attempts, record creation and edits, beneficiary changes, heartbeat responses, and release events. It is available in your account settings. It cannot be deleted or edited by anyone, including Kintity.

Go to your account security settings immediately and revoke all active sessions. This will force re-authentication on all devices. Change your authenticator app setup if you believe your device is compromised. Then contact security@kintity.com describing the situation. Our team will review the audit log and assist you.

Account deletion is available from your account settings. Upon confirmed deletion, all vault records, ciphertext, metadata, and session data are permanently destroyed from our systems within 30 days, in line with our data retention policy. Because records are encrypted with keys only you hold, deletion is irreversible. Ensure you have exported any records you wish to retain before initiating deletion.

Yes. Kintity Softech Private Limited is incorporated in India and our platform is designed to comply with the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Information Technology Act, 2000. We have a designated Grievance Officer accessible via grievance@kintity.com and by phone during business hours. Data principal rights—including access, correction, and erasure—are supported through our contact process.

Yes. Kintity offers a free tier that allows you to store a limited number of records, add one beneficiary, and configure basic heartbeat settings. The free plan is designed to let you evaluate the platform and set up your most critical records without any financial commitment.

Yes. All new accounts start on the free tier automatically—no credit card required at signup. Paid plan features are visible and can be explored; they activate when you upgrade. You can take your time to evaluate whether the platform meets your needs before committing.

We accept major credit and debit cards, and UPI for Indian users. All payment processing is handled by a PCI-DSS compliant payment provider. Kintity does not store your card details.

If you downgrade or do not renew, your account moves to the free tier. Records that exceed the free-tier limits become read-only—you can view and export them, but cannot add new records until you are within the free-tier limits or upgrade again. Your data is never deleted due to a lapsed subscription.

We offer family plans that allow multiple linked accounts with shared beneficiary management, and enterprise plans for organisations with team administration, centralised billing, and volume storage. Contact enterprise@kintity.com for enterprise pricing and requirements.