A family vault that
outlives families
and outlives companies.
We promise that the stories you upload will still be accessible to your grandchildren — and theirs. That word, FOREVER, is on the box. Here's what stands behind it.
Twelve layers of protection. Transparent about what's built. Honest about what's planned.
Family stories build resilient children
Children who know more of their family's narrative — the stories of their grandparents, the highs and lows of their parents' lives, the shape of where they come from — show higher resilience, stronger sense of identity, and better outcomes on a range of psychological measures.
— Marshall Duke and Robyn Fivush, Emory University, The "Do You Know" scale. Duke, M. P., Lazarus, A., & Fivush, R. (2008). Knowledge of family history as a clinically useful index of psychological well-being and prognosis: A brief report.
MSFV exists because of this research. The 100-year promise isn't a marketing line — it's an obligation to the children and grandchildren who will need these stories long after their grandparents are gone. Everything else in this page is the technical and structural substrate that makes the promise credible.
Twelve layers of protection
Each layer protects against a specific failure mode. Single layers fail; stacks don't.
Shared family stewardship
Up to five Guardians share responsibility for your vault. No single owner whose departure dooms the family's memories. Anyone can leave; nobody can hold the rest hostage.
A 14-day window before any deceased-status takes effect
If someone declares you deceased — by accident, by malice, by a misunderstood email — you get fourteen days to log in and say "no, I'm here." One click reverses the declaration entirely.
A Friend Guardian role separate from family
Some stories belong with friends, not family. You can nominate Friend Guardians during your lifetime — separate people, separate authority. Family Guardians have no power over friend-circle content. The privacy boundary is absolute.
Tiered consent on destructive Guardian actions
No Guardian acts alone. Three or more must agree by simple majority. Two must be unanimous. A sole Guardian needs a seven-day cool-off where any vault member can object. By design, harm requires consent.
Every uploaded file remembers its creator forever
When someone uploads a photo, that "uploadedBy" attribution becomes permanent. Not even Guardians can rewrite it. Mum stays credited for the photos she added — for the rest of time.
90-day grace on every deletion
Nothing disappears immediately. A deleted story sits in "Recently Deleted" for ninety days, fully recoverable. Underlying media files stay in storage as long as anyone else references them. The system protects against everyone's bad afternoon.
Branching — leave without taking other people's stories
If you decide to leave a vault, you take everything you uploaded and nothing else. The source vault keeps working for the family members staying behind. Other people's stories that reused your photos? Still work. No collateral damage.
Multi-cloud backups with legally-immutable retention
Your stories live on Firebase (Google Cloud) by default. Every day, a copy is mirrored to AWS S3 and Backblaze B2 — three separate companies, three separate accounts. Daily snapshots are protected for 90 days, weekly for a year, monthly for seven years. The protection is "Compliance" mode — even MSFV staff with admin credentials cannot delete or modify these backups within the retention period.
Stored in your jurisdiction
Australian and New Zealand vaults live in Sydney. UK and Irish vaults live in London. The default is US multi-region. Where your family's stories live matters — for GDPR, for sovereignty, for your peace of mind.
Every action is visible
Every sign-in, every export, every Guardian action gets recorded in an audit log visible to all vault members. A Guardian who hides a story can't do it quietly. Member notifications fire on every destructive action. Transparency makes bad behaviour expensive.
Proven restoration
A separate Firebase project — msfv-restore-sandbox — exists permanently. We drill the restoration process regularly. Any backed-up vault can be brought back end-to-end into the sandbox for testing or recovery. Backups that can't be restored aren't backups.
A planned Trust to outlive the company
When MSFV reaches a sustainable subscriber base, we will establish an Independent Trust — a separate legal entity, governed by independent trustees, holding both vault custody AND the controlling voting share of MSFV the operating company. The Trust's mandate is the mission. The mission is the 100-year promise. (This is planned, not yet established — see Transparency section below.)
What we commit to — and what we don't
A promise without specifics is marketing. Here are the specifics.
What it commits us to
- Content preserved and restorable for at least 100 years from upload
- Multi-cloud backups across three independent vendors and three regions
- Backward-compatible storage formats — old content remains accessible as the platform evolves
- Family-governable through Guardian stewardship, not company-controlled
- Audit transparency, deceased-member protections, and Guardian quorum maintained as long as the platform runs
What it doesn't commit us to
- Run the exact same UI for 100 years (the wrapping will evolve)
- Keep every feature available forever (deprecated features may be retired with notice; content access is preserved)
- Adjudicate inheritance disputes between family members (Guardian quorum handles most cases; legal disputes are out of scope)
- Protect against cryptographic destruction by an account holder encrypting their own data
- Eliminate platform risk before the Trust exists — until then, the promise rests on multi-cloud resilience plus company intent
What we're being honest about
Some of the layers above are aspirational. We'd rather you know which.
The Independent Trust
Strategic priority. Will be established when subscriber revenue funds operations for 5+ years on its own. Until then, the 100-year promise rests on technical resilience plus company intent. Both architecture documents internally are explicit about this gap.
Five-year dormancy detection
The scheduled detection job exists and writes dormancy alerts. The flow that lets Family Guardians act on those alerts is being observed and refined; full automation pending a few months of real-world data.
Manual deceased declaration admin tool
The next-of-kin support path now has a proper admin interface, including reversal of mistakenly-pending declarations and clearing dormancy alerts.
Acceptance scenario walk-through (S1-S10)
Ten real human scenarios documented as a formal test plan against the architecture. Manual end-to-end walk-through against a sandbox vault is the next operational step.
The piece that protects you from us
MSFV is a real company with real risks. We could be sold. We could be acquired by an entity whose priorities don't match the mission. A future board could look at the 100-year guarantee and the multi-cloud backup architecture and see "expensive commitments to cut." This is the standard playbook of acquisition-driven growth, and it's the most likely way that companies built on long-term promises break them.
It's worth thinking about who actually owns the platforms holding your family's history. Several of the largest family-history and DNA-archive services are now majority-owned by private equity firms — entities whose business model is typically a four-to-seven-year hold-and-exit cycle, not multi-generational stewardship. The customers whose family records, DNA, and photos are held by those services were not part of the acquisition decisions and have no structural voice in the next one. We didn't want to build that kind of platform.
The defence isn't "we'd never sell." At sufficient price, future decision-makers will face pressure to accept. The defence has to be structural: built into the company's constitution such that mission-violating moves are constitutionally constrained, not just culturally discouraged.
That's what the planned Independent Trust does. When subscriber revenue can fund operations for five-plus years on its own, we establish a separate legal entity — an Australian Public Company Limited by Guarantee, ACNC-registered — with two mandates:
- 1 Vault custody. The Trust holds independent backups and a multi-year operating reserve. If MSFV the company stops operating, the Trust keeps the vaults running.
- 2 Mission lock. The Trust holds the controlling voting share of MSFV the company, with veto rights over a defined list of mission-protected commitments — the 100-year guarantee, the audit transparency, the Guardian Model, the pricing constraints, the no-data-sale rule.
The same legal entity holds both mandates because they're the same problem in two forms: protecting member families from corporate failure, and protecting them from corporate capture. Bundling is structurally cheaper than running two trusts, and the mandates reinforce each other.
We're modelling this on Patagonia's 2022 transition (Purpose Trust + Holdfast Collective), Mozilla Foundation's ownership of Mozilla Corporation, and the Robert Bosch Stiftung's ownership of Bosch. None of these are theoretical. The Hershey Trust has literally blocked hostile acquisitions in court on the grounds they'd harm the beneficiary mission. The pattern works.
The Trust does not exist yet. The structural transition forecloses some standard capital options — conventional venture capital generally can't invest in companies where voting control sits permanently with a non-profit Trust — so the timing matters. We do it when the company can afford to forgo "growth at all costs" capital, not before. Until then, the 100-year promise rests on multi-cloud resilience and company intent.
We built this because family stories matter.
Start a free vault. Try the four-step minimum-viable setup. Take 20 minutes to read the long-term setup guide. You'll know more about what's protecting your family's memories than most people know about their bank.