Security

The architecture
behind the trust.

If the Trust page is what we promise, this page is how we keep it. Read it once now, or keep it open while you decide whether to give us your most personal recordings.

SOC 2 — in progress · Designed around GDPR + CCPA principles

Heirloom is built with SOC 2 controls from day one — audit logging, data classification, access controls, and processor agreements with every vendor that touches customer data. We are pursuing Type II certification ahead of public launch.

Encryption at rest

All audio, video, and letter content is encrypted with AES-256 before it touches storage. Keys are managed by AWS KMS with per-customer isolation, so an exposed key can only decrypt one customer’s content — not the whole vault.

Authentication and access

All family members sign in via Clerk with passwordless magic links — no passwords to manage, no passwords to leak. Multi-factor is available on every account. Internal access to admin tools is gated to a single role with audit-logged actions.

Storage architecture

Primary content lives in AWS S3 with versioning and Object Lock in compliance mode (immutable for the configured retention). A backup copy lives in a different region for failure-mode independence. Daily integrity checks compare checksums.

Audit logging

Every consequential action — story created, family member invited, member removed — writes a row to our audit log with actor, IP, user agent, and metadata. Compliance queries (GDPR/CCPA, SOC 2) are answered from this table. The log is read-only to engineers.

Privacy posture

We never use customer content to train AI models. Every API call to our AI providers explicitly opts your content out of training. Customer recordings are excluded from product analytics. We honor GDPR and CCPA data rights, including data export and deletion on request.

Vulnerability disclosure

Security researchers can report vulnerabilities to security@yourheirloom.app. We acknowledge within 48 hours and resolve based on severity. We run automated dependency scanning, npm audit on every CI run, and an annual third-party penetration test once we reach $500K ARR.

Have a security question?

We answer real questions from real customers. Email security@yourheirloom.app and we will get back to you within two business days.

Back to TrustStart your archive