Security pages in this category tend to be adjective collections. This one is an inventory. The controls named below run on the AWS infrastructure that holds the vault — and where we don’t hold a certification, we say so.
These are named AWS services in our production stack — each one you can look up, not a roadmap of adjectives.
Layered protection, from the perimeter to the document
Illustrative — the deployed controls, arranged from the network edge inward to the document.
Documents in storage are protected with AES-256 encryption through AWS Key Management Service, using a customer-managed KMS key. Each partner organization’s data lives in its own isolated storage bucket. Keys are managed by AWS KMS, not by application code.
A web application firewall sits in front of the application and filters malicious traffic before it ever reaches the vault.
GuardDuty continuously monitors the infrastructure and detects suspicious API activity — so unusual behavior is flagged, not discovered after the fact.
CloudTrail records an audit trail of all AWS API calls across the infrastructure. Every administrative action is logged and reviewable — the foundation for compliance work.
Document storage uses AES-256 encryption with an AWS KMS customer-managed key, and each partner organization’s data lives in its own isolated storage bucket. Database contents and all stored credentials are encrypted as well.
All traffic is encrypted in transit with TLS 1.2+ (modern clients negotiate TLS 1.3); unencrypted connections are refused. Certificates are ACM-managed and renew automatically.
Decryption is restricted to narrowly-scoped service roles — no employee has standing access to your document content, and key use is logged. Access is limited by design, not by policy.
When a financial advisor or estate attorney is linked to your vault, they see document metadata only — category, dates, and gap signals. Document content is never returned to a partner. Not hidden by a setting: never returned by the system.
Each partner’s client data also lives in its own isolated storage with access scoped to that partner alone — isolation enforced at the infrastructure level, not just in application code.
A trust page should be as clear about what’s absent as what’s present. So, plainly:
We are not SOC 2 certified today, and you won’t find a badge here implying otherwise. Foundational controls are in place; we’ll claim the certification when an auditor issues it — not before.
You won’t read “unhackable” or “bank-grade” on this site. Our claims are specific and checkable — AES-256, AWS KMS, named controls you can look up.
Our infrastructure is aligned with HIPAA’s technical-safeguard categories — encryption at rest and in transit, audit logging, access controls — though Trusted Directive is not a HIPAA covered entity and does not claim HIPAA compliance.
A vault that locks you out when you stop paying isn’t secure — it’s holding your documents hostage. Ours doesn’t. One-click export of everything, any time, as a downloadable archive is in development for alpha. Cancel, and your documents remain exportable — never deleted because a card expired.
Security controls protect the vault. The Verify-Silence Release Protocol — in development for alpha — will govern when it opens, including for incapacity, where no death certificate exists. Questions about access, privacy, or cancellation? The FAQ answers them plainly.
Trusted Directive opens to a small first group soon. Join the waitlist and your invite lands the day we do.
Join the waitlist — your invite lands the day we open.