You Deserve to Know Where Your Documents Are

When you upload a will, an insurance policy, or the contents of a crypto wallet to Legati, you are trusting us with some of the most sensitive information you own. We think you deserve a clear, honest explanation of exactly where that data lives, how it is protected, and what happens if something goes wrong. This article covers all of it — without the marketing gloss.

Two Regions, Fully Separate

Legati operates two completely independent infrastructure regions: one in the United States and one in the European Union. They do not share data. They do not replicate between each other. They are, by design, air-gapped from one another.

This is not just a technical decision — it is a legal requirement. Under the EU's General Data Protection Regulation (GDPR), personal data belonging to EU residents must remain within the EU unless specific transfer conditions are met. Legati meets this requirement by keeping EU user data exclusively on EU infrastructure and US user data exclusively on US infrastructure. Your data never crosses an ocean.

When you create a Legati account:

  • If you sign up at legati.co — your data is stored entirely within the United States.
  • If you sign up at legati.nl — your data is stored entirely within the European Union.

The two systems run identical software, but they have entirely separate databases, separate file vaults, and separate encryption keys. Neither region can see the other's data.

US Region: New York and San Francisco

The US region runs on two servers in separate geographic locations — one in New York and one in San Francisco. Both servers are active and handling real traffic simultaneously. A global load balancer distributes incoming requests between them, so if one server becomes unavailable for any reason — hardware failure, a data centre issue, network disruption — the other continues serving your requests within seconds, automatically.

The two US servers stay in sync through real-time database replication. Every write to the New York server is immediately replicated to San Francisco using MariaDB GTID (Global Transaction ID) replication over an encrypted tunnel. The replication lag is typically zero — meaning both servers reflect the same data at all times. This is the same technology used by major financial platforms and e-commerce companies to maintain consistent data across sites.

EU Region: Amsterdam and Frankfurt

The EU region mirrors this architecture. Two servers — one in Amsterdam, the Netherlands and one in Frankfurt, Germany — run in parallel behind a content delivery and failover layer that automatically routes EU traffic to whichever server is healthy. As with the US region, the Amsterdam server replicates in real time to Frankfurt via GTID replication over an encrypted connection.

Both EU servers are housed in data centres that meet ISO 27001 security standards and comply with EU data sovereignty requirements. Your data does not leave the European Union.

File Storage: Primary Vault and Redundant Backup

Files you upload to Legati — your will, your documents, your video messages — are not stored directly on the web servers. They are stored in a dedicated object storage vault in the same region as your account, separate from the application layer.

Every uploaded file is written to two independent vaults simultaneously:

  • A primary vault hosted within your region (US or EU), used for day-to-day file serving.
  • A redundant backup vault hosted at a separate, independent storage provider — a completely different infrastructure stack with no shared components.

If the primary vault experiences an outage, files can be served from the backup. If both somehow failed simultaneously, your data would still exist in encrypted form on both storage systems. Backup vault failures are treated as non-fatal — the upload still succeeds and your file is safe on the primary.

Files in both vaults are stored encrypted. Access depends on your account credentials and encryption material, which is handled so it is not stored in recoverable plaintext for routine platform access.

AES-256-GCM: What That Actually Means

Every file you store with Legati is encrypted using AES-256-GCM. Let's break that down:

  • AES — Advanced Encryption Standard. Adopted by the US government in 2001, it is the global standard for symmetric encryption and is used by financial institutions, militaries, and intelligence agencies worldwide.
  • 256 — the key length in bits. A 256-bit key has 2²⁵⁶ possible values — a number larger than the estimated number of atoms in the observable universe. There is no known practical attack against it.
  • GCM — Galois/Counter Mode. This is an authenticated encryption mode. It does not just encrypt your data — it also generates a mathematical proof (called an authentication tag) that the data has not been tampered with. If even a single byte of an encrypted file is altered in storage, decryption will fail and the corruption will be detected.

Legati encrypts files in chunks, with a unique 96-bit initialisation vector (IV) per chunk. This means each section of a file is independently encrypted — there is no way to extrapolate the encryption of one part of a file from another. Sensitive fields in your account — your notepad contents, secure items like wallet addresses and PINs — are also encrypted individually at the database level, not just the file level.

Your Key, Not Ours

Your encryption material is tied to your account and password flow, and it is not kept in recoverable plaintext for routine platform access. When you log in, Legati derives what it needs for your active session and discards session-only material when you log out.

This has an important implication: if you forget your password, recovery options may be limited. Store your password somewhere safe, keep recovery settings current, and name a delegate who has access instructions for emergencies. The design is meant to reduce the exposure of your files if infrastructure is compromised.

It also means you should store your password somewhere safe, and should consider naming a delegate who has access instructions for emergencies. More on that below.

Encryption in Transit

All communication between your browser or app and Legati's servers is encrypted using TLS 1.2 or higher. Your files never travel over an unencrypted connection. The encrypted file leaves your device, travels over an encrypted TLS channel to our servers, is written to encrypted storage, and the encryption key is never transmitted or stored in a way that would allow reconstruction.

Our Legati mobile app adds a further layer: certificate pinning. The app is configured to only accept connections to servers presenting Legati's specific SSL certificates. Even if someone managed to intercept traffic and present a fraudulent certificate, the app would refuse the connection outright. This protects against man-in-the-middle attacks that could otherwise intercept data between the app and our servers.

High Availability: What Happens When a Server Goes Down

Single-server architectures are fragile. Any server can fail — hardware dies, kernels crash, data centres lose power. We designed Legati so that no single server failure can affect your access to your data.

Here is what happens when a server in the US region becomes unavailable:

  1. Our load balancer detects the failure through continuous health checks running every few seconds.
  2. Within seconds, all incoming traffic is routed to the healthy server in the other location.
  3. You see no interruption. Requests that were in flight are retried automatically.
  4. The failed server is automatically removed from the active pool until it recovers.
  5. When it comes back online, it rejoins the pool and resumes receiving traffic.

The same process applies to the EU region. Two servers, two locations, automatic failover. The system is designed to handle a complete data centre outage without any action required from our team.

Database Replication: Real-Time Synchronisation

Your account data — files list, notes, secure items, delegate settings, subscription — lives in a database. Within each region, that database is replicated in real time between the two servers using GTID replication. Every transaction on the primary server is immediately committed to the secondary.

The replication connection runs over an encrypted SSH tunnel between servers. Port 3306 (the database port) is never exposed to the internet. The only way to reach the database is through the encrypted tunnel from an authorised server. There is no external path to the database, even from within our own team's machines.

We monitor replication continuously. If the replication thread falls behind or stops, alerts fire automatically. Nightly automated tests verify the integrity of the replication chain on both regions.

Nightly Backups

In addition to real-time replication, full database backups run nightly at 1:00 AM local time on each region's primary server. Backups are encrypted and stored in the region's secure storage vault, separate from the live database. This provides point-in-time recovery capability in addition to the live replica — so even in the event of data corruption or an accidental deletion, we can restore from a recent backup.

Firewall and Intrusion Protection

All four servers run a multi-layer security stack:

  • Network firewall — only ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open to the internet. All other ports are blocked at the network level.
  • fail2ban — automatically detects and bans IP addresses that attempt brute-force login attacks. A 26-hour ban is applied after repeated failed attempts, and our own administrative IP addresses are permanently whitelisted so we are never accidentally locked out.
  • IP blocklist — a nightly-updated blocklist of known malicious IP ranges (compiled from multiple reputable threat intelligence sources) is loaded at application startup. Requests from blocked ranges are rejected before they reach the application layer.
  • Rate limiting — all API endpoints and form submissions are rate-limited per IP. This prevents automated scraping and limits the impact of brute-force attempts against login or registration flows.
  • PHP hardening — dangerous PHP functions (shell execution, file inspection, process control) are disabled at the server level on all production servers. Even if an attacker found a code vulnerability, they would be unable to execute system commands.

Multi-Factor Authentication

Legati supports hardware security key authentication (YubiKey and any FIDO2-compatible key) as a second factor for login. With MFA enabled, your account cannot be accessed with a password alone — a physical device must be present at login. This protects your account even if your password is compromised in a data breach at another service where you reused it.

We strongly recommend enabling MFA on your Legati account, particularly if it contains documents you would not want anyone else to access.

Delegates: Controlled Access Without Shared Passwords

One of the hardest problems in personal data security is the emergency access problem: how do you ensure a trusted person can reach your documents if you are incapacitated, without giving them unrestricted access to your account right now?

Legati's delegate system solves this. You name a delegate — a spouse, a sibling, an attorney — and set an access window. When you activate delegate access, that person receives a secure link that gives them read access to the files you have made available. They do not receive your password. They cannot change your settings or upload files. Access is logged and audited.

For estate planning purposes, this means your executor can access your will, insurance details, and financial account information at exactly the moment they need it — without you having to leave credentials written on a sticky note or stored in an email.

What We Cannot See

It is worth being explicit about what Legati staff can and cannot access:

  • Your files — encrypted with your key. We cannot read them.
  • Your notepad and secure items — encrypted at the field level in the database. We cannot read them.
  • Your password — never stored. We store a bcrypt hash. We cannot reverse it.
  • Your encryption key — derived from your password at login, never persisted. We do not have it.

What we can see: your email address, your name, your subscription status, the file names and sizes of your uploaded files (not their contents), and your account activity log. This is the minimum necessary to operate the service.

A Note on Trust

Security is ultimately a question of trust — and trust has to be earned. We have tried to build a system where you do not have to trust us blindly. The encryption architecture means your files are protected even if our systems are compromised. The regional separation means EU data stays in the EU regardless of what happens in the US. The dual-server setup means a single failure cannot make your data unavailable.

We have described our architecture in detail in this article because we believe you should understand exactly what you are relying on. If you have specific questions about any aspect of our security model, reach out — we are happy to go deeper.

Start your free 7-day trial and see for yourself how Legati keeps your most important documents safe.