Shutdown Policy

Last updated: 2026-06-26 · This policy is part of our Terms of Service

Most cloud storage providers don't tell you what happens if they shut down. We do. This is the commitment we make to every paying customer.

The promise

We commit to operating Vault for at least 5 years from the date of your purchase. Beyond that period, our intent is to continue operating the service for existing customers at no additional cost for as long as it remains viable to do so — we deliberately phrase this as an intent rather than a binding guarantee, because we'd rather under-promise on a horizon five-plus years out than commit to something we cannot honestly guarantee. If we ever do need to wind down operations, we will give you at least 90 days advance notice and provide a working export tool so you can retrieve all your encrypted files and the metadata needed to decrypt them offline. Your right to export is not contingent on continued payment, on a fresh login during a specific window, or on anything other than your continued possession of your recovery key.

1. Why we make this commitment

Many "lifetime" cloud services have quietly disappeared, leaving customers locked out of their data with little warning. We've watched that happen repeatedly and decided to write the opposite policy into our contract instead.

5 years is a length we can credibly commit to. It's also long enough to be genuinely useful — most documents you'd put in a vault (tax records, insurance policies, contracts, medical paperwork) have a 5-10 year retention window in many jurisdictions. Beyond the 5-year minimum, our intent is to keep the service running for existing customers at no additional cost, but we leave that as an intent rather than a binding promise so we can be honest about what we can and cannot guarantee that far out. We'd rather promise 5 years we can deliver — plus an honest plan for what comes after — than promise "forever" and disappear.

2. What "operating" means

For the 5-year minimum operating period from your purchase date, we commit to:

3. What "winding down" means and when it might happen

Beyond the 5-year minimum, our intent is to continue operating the service for existing customers at no additional cost for as long as it remains financially viable and we believe we can continue to do so responsibly. This is a plan, not a binding guarantee — we are being deliberately careful about the difference, because we'd rather be honest about what we cannot promise five-plus years out than pretend to certainty we don't have. We will only initiate a wind-down if one of the following becomes true:

4. The wind-down procedure

Day 0 — Announcement
Wind-down announced publicly
A clear notice goes on the homepage and the dashboard. The notice includes the final shutdown date (at least 90 days out) and a clear explanation of why.
Days 0 – 90 — Export window
Export tool remains fully functional
The dashboard's "Export all" button works as normal throughout this window. We also publish a small offline decryption utility you can use to decrypt your exported files with your recovery key, in case you cannot use the in-browser decryption flow at the time.
Days 0 – 90 — No new purchases
New purchases stop on Day 0
Anyone who attempts to purchase during the wind-down sees the announcement and is redirected to a recommendation of alternative services.
Days 30, 60, 75, 85 — Reminders
Reminder banners on the dashboard
Anyone who logs in during the export window sees increasingly prominent reminders to export their files before the final date.
Day 90 — Final shutdown
Service goes offline; data deleted
The application server is decommissioned. All encrypted files in R2 are deleted. Database records are deleted. The offline decryption utility remains available indefinitely as a static download from a separate, low-cost location (e.g. a GitHub release).

5. What we will not do during a wind-down

6. What if we don't honor this policy?

If we cease operations without honoring the 90-day notice and export window, you have a legitimate breach-of-contract claim against the operator under your jurisdiction's consumer protection laws. We have written this policy specifically because we want to be held to it.

If you're concerned about this risk and want additional reassurance, the safer practice is to use the "Export all" feature periodically (e.g. once a year) to keep an offline copy of your encrypted files. That way, even an unannounced shutdown leaves you with your data.

7. The offline decryption utility

We publish a small command-line utility (under an open-source license) that can decrypt files exported from Vault using your recovery key, without needing the Vault service to be running. This utility is independent of our service and will remain available at github.com/[ORG]/vault-decrypt indefinitely.

This means: even if every server we operate goes offline tomorrow, you can still decrypt files you exported earlier. Your encryption is not contingent on our continued existence.

8. Refunds in the wind-down case

If we initiate a wind-down before the 5-year minimum operating period has elapsed, we will refund a pro-rated portion of your purchase price corresponding to the unfulfilled time. After 5 years, no refund obligation exists, since the commitment will have been fully delivered.

9. Why we publish this

Because trust is built on specific, falsifiable commitments — not on vague promises. If you're choosing between Vault and another provider, we want you to be able to compare what each of us is willing to put in writing about the unhappy path.