Data Protection & Backups

Your secrets are backed up every day, automatically, with no action required on your part. This page covers the full technical detail. For a summary, see the backup section on our security page.

What’s protected

All vault encryption keys — the master keys that protect your TOTP secrets
All encrypted TOTP secrets — your actual 2FA codes (always stored encrypted, never plaintext)
Your full account data — user records, vault metadata, device registrations, approval audit logs, shared links

Backup schedule

Tier	Frequency	Retention
Daily	Every night	7 days
Weekly	Every Sunday	4 weeks
Monthly	1st of each month	3 months

Daily backups use incremental sync. Every Sunday, a full verification scan runs to catch anything the incremental might have missed. This is a self-healing safety net.

Storage layers

Your data lives in multiple independent storage layers, each with its own durability guarantees, plus an off-site backup tier on a separate cloud provider. Beyond our infrastructure, your device itself acts as an additional copy.

Layer	What it holds	Redundancy model
Relational database	User accounts, vault metadata, token records, device registrations, audit logs	Managed database with automatic replication across the provider’s edge network
Object storage	Encryption keys (AES-256-GCM master keys) and encrypted TOTP secret blobs	Distributed object store with built-in redundancy across multiple availability zones
Key-value cache	Sessions, rate-limit counters, metadata cache	Ephemeral by design — not backed up, reconstructed on demand from the database
Off-site backup	Full database exports and encryption keys	Separate cloud provider, separate geographic region. Encryption keys are immutable for 90 days (Object Lock). Database snapshots retained as 7 daily, 4 weekly, 3 monthly.
Your device	Cached tokens, locally generated secrets	Persisted on-device and included in your iCloud or Google account backup if enabled

The only data not replicated off-site is the ephemeral cache, which holds no secrets and rebuilds itself automatically.

Defense in depth — five independent layers

Your device Cached tokens + OS backup (iCloud/Google)

Key-value cache Ephemeral — rebuilds on demand

Object storage Encryption keys + encrypted TOTP blobs

Relational database Accounts, vault metadata, audit logs

Off-site backup Separate provider · 90-day Object Lock

Each layer fails independently. Off-site backup is immutable — even a full compromise can't delete it.

Immutable key storage

Your encryption keys are stored in immutable, versioned storage with 90-day Object Lock governance mode in a separated cloud account on a redundant provider from the production environment. This means:

Once a key is written, it cannot be deleted or overwritten for 90 days — not by us, not by an attacker, not by accident
Every change creates a new version; previous versions are preserved and protected
Even in a worst-case compromise scenario, your historical key material remains intact

Database backups are stored in a separate versioned bucket with lifecycle-managed retention.

Recovery scenarios

Scenario	What happens	Estimated recovery time
Single table corruption	Restore from latest backup	Minutes
Key material restoration	Restore from immutable storage	Minutes
Full database rebuild	Rebuild from off-site backup	15–30 minutes

Maximum potential data loss: 24 hours (the window between nightly backups). Your device may hold more recent data than the last backup.

What this means in practice

Single-component failure (database corruption, object storage outage): The other layers remain available. Recovery from backup takes minutes.
Full production provider outage: All durable data exists independently on a second provider. Full rebuild takes 15–30 minutes.
Both cloud providers fail simultaneously: Your device still holds a cached copy of your tokens. You retain access to your 2FA codes.
You lose your phone: Your tokens exist in our production infrastructure and off-site backups. Sign in on a new device and sync. If your phone backup (iCloud/Google) is enabled, local app data may also restore automatically. For Locked Vault users: our backups protect your encrypted data, but only your recovery key can decrypt it. Save your Emergency Kit →
You lose your phone AND both providers fail: If your phone backup is enabled, your device backup provider becomes the last line of recovery.
Malicious tampering: Object Lock on key material prevents deletion or modification for 90 days, even with full administrative access to the backup infrastructure.

Recovery cascade — what catches you when things fail

Database corruption Other storage layers remain live → restore from latest backup in minutes

Full provider outage Everything exists independently on second provider → full rebuild in 15–30 min

Both providers fail Your device holds cached tokens → you still have local access

Phone lost Cloud Vault: web dashboard. Locked Vault: OS backup or Emergency Kit

Malicious tampering Object Lock prevents deletion for 90 days — even with full admin access

Monitoring

Every backup run sends a status notification to our operations channel. Failures trigger immediate alerts. The backup phases are independent — if one fails, the other still completes.

Backup & your plan

FactorCat Backup is included for all accounts. Free accounts should also save their recovery phrase and rely on phone/OS backup (iCloud, Google) as a primary safety net.

See pricing for full plan details.