Security
How we protect what you tell us.
Specific, verifiable details — not the vague ‘bank-level security’ you see elsewhere.
Field-level envelope encryption (AWS KMS)
Legal name, date of birth, address, social security references, beneficiary identifiers — every field that's personally identifying is encrypted with AES-256-GCM before it lands in the database. The data-encryption keys are wrapped by a per-environment AWS KMS Customer Master Key (CMK). Plaintext keys never leave Lambda RAM. The CMK has automatic rotation enabled.
Technical: AES-256-GCM symmetric encryption · AWS KMS CMK with key rotation · Envelope encryption pattern · Per-stage isolation (dev/prod CMKs are separate)
Encryption in transit and at rest
TLS 1.3 for all client-server traffic, HSTS preloaded so browsers refuse downgrades. Data at rest uses Neon's encrypted-at-rest storage with AES-256, plus our field-level layer on top of it. AWS S3 uses SSE-S3 server-side encryption with bucket-key optimization.
Technical: TLS 1.3 · HSTS preload (max-age 2 years, includeSubDomains) · Neon encryption-at-rest · S3 SSE-S3 with bucket key
Append-only audit log
Every meaningful action — will created, edited, finalized, downloaded, shared — writes a row to an audit table that has no UPDATE or DELETE path in the application code. If something happened in your account, the log can show when and by whom. Useful for any future dispute.
Technical: Append-only insert pattern · Application-layer write enforcement · Per-user query authorization
No third-party trackers on authenticated pages
Behind the login — anywhere you enter information about your will — we load zero advertising, analytics, or session-replay scripts. Marketing pages use minimal privacy-preserving analytics; authenticated pages don't even load that. The data you tell us doesn't get accidentally vacuumed up by Meta, Google, or a session-replay vendor.
Technical: No GA/Meta pixel on /dashboard, /will, /account, /admin · CSP restricts script origins
Authentication by Clerk + optional MFA
Sign-in is handled by Clerk, a dedicated identity provider with SOC 2 Type II. You can enable multi-factor authentication on your account at any time — we recommend it. Sessions are short-lived and revocable from your account settings.
Technical: Clerk with SOC 2 Type II attestation · TOTP MFA · WebAuthn passkeys (planned) · Session revocation per device
Trusted-contacts unlock at death
When you authorize someone as a trusted contact, they can request access to your finalized will after a documented event (death certificate uploaded, identity verified). The flow is auditable, time-windowed, and revocable while you're alive.
Technical: Tokenized invite links with revocation · Death-verification documentation upload · Audit row per access event
Compliance
Where we are on the certification path.
SOC 2 Type 1 (in progress)
In progressAudit kicks off in Q2 2026 with one of the major auditing firms. Vanta-style continuous monitoring is already wired into our infrastructure.
BBB accreditation (pending)
PendingApplication submitted; A+ rating typical for businesses with our complaint-handling posture once we've been operating for ~6 months.
B Corporation (in process)
In processInitial assessment complete; full audit cycle is 6-12 months. We're targeting B Corp certification in 2027.
AICPA SOC 2 Type 2
Planned 2027Follows Type 1 by ~12 months. The Type 2 verifies controls operated correctly over a sustained window.
Vendors
Who we depend on, and their attestations.
| Vendor | Role | Attestations |
|---|---|---|
| AWS | Compute (Lambda), storage (S3), encryption (KMS), email (SES) | SOC 1, 2, 3 · ISO 27001/27017/27018 · HIPAA-eligible |
| Neon Postgres | Database | SOC 2 Type II · GDPR-ready · encryption at rest |
| Clerk | Authentication | SOC 2 Type II · CCPA-compliant |
| Stripe | Payments (when activated) | PCI DSS Level 1 · SOC 2 Type II |
| Vercel | Edge / CDN (some assets) | SOC 2 Type II |
| Anthropic | AI plan assistant (when activated) | SOC 2 Type II · No training on customer data |
Attorneys
Who reviews our templates.
Attorney review
Each state's template is reviewed by a licensed estate-planning attorney in that state. Currently engaged for 3 states: California, New York, Texas. Reviewer credentials (name + bar ID + review year) will be published here at public launch.
Data lifecycle
What we keep, for how long, and how to delete it.
While your account is active: we retain your will draft, finalized PDFs, and account history indefinitely so you can revisit, update, or re-download at any time.
Account deletion: from /account/data you can request deletion. We perform a soft delete first (account locked, data retained 30 days for recovery), then a hard delete (irreversible).
Legal-hold exceptions: we retain audit-log entries (timestamps, action types) for 7 years even after account deletion, in case of legal dispute. The entries don't include personal data — just “account X performed action Y at time Z.”
Backups: Neon's automated backup window is 7 days for our tier; a deletion request waits out the backup window before we consider the data fully purged.
Reporting
How to report a security concern.
Email security@cocreateidea.com with details of any vulnerability or concern. We respond within 1 business day.
We do not currently run a public bug-bounty program, but we acknowledge legitimate reports and credit reporters in our changelog when they consent.
Specific is better than vague.
Most platforms claim ‘bank-level security.’ This page is what we mean by it.