Security at Heirloom
Your data is encrypted in transit and at rest. Access is controlled by authenticated sessions and row-level security.
Encryption & Architecture
Heirloom uses industry-standard cryptography to protect data in transit and at rest, paired with strict per-user access controls at the application layer.
AES-256 at Rest
All stored data is encrypted at rest using AES-256 managed through AWS KMS — the same encryption standard used by leading financial institutions and government agencies.
TLS 1.3 in Transit
Every connection between your device and Heirloom is protected by TLS 1.3, the latest transport security standard. Data is never sent over the wire unencrypted.
Row-Level Security
Per-user data isolation is enforced in the database itself: every query is scoped to the authenticated user's identity, so one account can never read another account's data.
Authenticated Sessions
Access requires a verified email and password. Sessions auto-expire after inactivity, every protected request is checked at the edge, and sensitive credentials are additionally encrypted at the application layer.
Breach Protocols
Encryption at rest means a stolen disk yields only ciphertext, not plaintext. On top of that, we maintain rigorous protocols to detect, contain, and communicate any incident with full transparency.
Detection
Our infrastructure logs activity continuously and surfaces anomalies through cloud-native monitoring across the application, database, and edge layers.
Containment
When we confirm an incident, we follow our internal response process to isolate affected systems, revoke any compromised credentials, and prevent further exposure.
Notification
We notify affected users as soon as we confirm an incident and understand its scope. Notifications include what happened, what data was involved, and the steps we are taking.
Recovery
We document each incident internally — root cause, impact, and remediation — and share what we learn with affected users so they can make informed decisions.
Data Protection
Beyond encryption, we enforce strict operational controls and audited administrative access to maintain a high standard of data stewardship.
Access Controls
Internal administrative access is limited to a small number of authorized engineers and protected with multi-factor authentication.
Audit Logging
Sensitive operations performed in our admin tooling — such as account changes — are recorded in an append-only audit log alongside the actor and timestamp.
Continuous Review
We patch dependencies on an ongoing cadence, monitor for known vulnerabilities, and review our codebase for security issues as part of every release.
Infrastructure Security
Heirloom runs on enterprise-grade cloud infrastructure (Supabase / AWS) with built-in DDoS protection, network segmentation, and continuous infrastructure monitoring.
Security FAQs
Our infrastructure continuously logs activity and surfaces anomalies for review. If we confirm an incident, we contain the affected systems and follow our incident response process to investigate the scope and notify affected users.
We will notify affected users as soon as we confirm an incident and understand its scope. The notification will include what happened, what data was involved, and the steps we are taking.
All stored data is encrypted at rest with AES-256. A stolen disk or compromised storage layer would yield ciphertext, not your plaintext records. Combined with row-level security and authenticated sessions, an attacker would need to defeat multiple layers to reach usable data.
A small number of authorized engineers retain administrative access to the production database for support and maintenance. We do not browse user data as a matter of policy, and per-user access controls (row-level security) prevent any user account from reading another user's data through the application. Administrative actions taken through our admin tooling are recorded in an audit log.
Your encrypted data is stored on enterprise-grade cloud infrastructure (Supabase / AWS) with strict network segmentation and continuous monitoring.
Ready to get started?
Be among the first families to secure their digital legacy.
Your data, your control. Read our Privacy Policy