Key takeaways
- India's DPDP Act governs domestic users; GDPR and CCPA apply to EU and California residents
- Encrypted bytes are replicated across three AWS regions for durability — not for decryption access
- Jurisdiction limits what a government can compel; zero-knowledge limits what we can hand over
- Server location is about availability and compliance — your vault key never leaves your device
One of the questions we get from security-conscious users is: where exactly does my data live, and why? For a continuity product — one that may need to survive for decades — jurisdiction and infrastructure decisions are not just engineering choices. They are part of the promise.
Jurisdiction and the continuity mission
Inktally is incorporated in India. We operate under the Digital Personal Data Protection Act (DPDP). We chose this deliberately: India has a large, growing middle class whose digital estate planning needs are underserved, a robust engineering talent base, and a legal environment we understand and can operate within transparently.
Being India-based also means we are not subject to US CLOUD Act provisions, UK investigatory powers, or EU GDPR (though we comply with GDPR principles voluntarily for users in those jurisdictions). A court in any of those jurisdictions cannot compel us directly.
The three-region storage model
Encrypted user data is stored in three AWS regions: ap-south-1 (Mumbai) as primary, with ap-southeast-1 (Singapore) and eu-west-1 (Ireland) as secondaries. All three are synchronously replicated for our most important data (vault metadata, keypairs); document ciphertext is asynchronously replicated.
Three-region redundancy means Inktally can survive the total loss of any single region — a full datacenter failure — without data loss and with minimal downtime. For a continuity product, losing data because of an infrastructure failure would be a profound betrayal of the product's premise.
Why Ireland?
The eu-west-1 secondary gives European users a geographically close replica for latency purposes and provides geographic diversity against a regional outage affecting the Asia-Pacific zones simultaneously.
See this in practice.
Your vault is encrypted before it leaves your device. Inktally never sees your keys.
Try Inktally freeWhat this means for subpoenas
In zero-knowledge mode, a subpoena served to Inktally produces opaque ciphertext and auth verifiers. The auth verifiers are one-way hashes — they cannot be reversed to obtain passwords. The ciphertext is encrypted with keys we have never held. We would comply with a lawful order by producing exactly what we have: bytes that are useless without the user's password.
We publish a transparency report annually detailing any legal demands received and our response. We have not received any to date.
Our commitments
We commit to: keeping data in these three regions unless we notify users at least 90 days in advance; publishing all legal demands in our transparency report; never implementing a backdoor for any government; and providing a full, decryptable export any time a user requests one, regardless of account status.
These are not just policies — they are constraints we have built into the architecture. In zero-knowledge mode, a backdoor is not something we could implement even if compelled: the keys we would need to install it never exist on our systems.