Security

Security built on deployed controls,
not promises

Security pages in this category tend to be adjective collections. This one is an inventory. The controls named below run on the AWS infrastructure that holds the vault — and where we don’t hold a certification, we say so.

The controls, by name

What’s actually running

These are named AWS services in our production stack — each one you can look up, not a roadmap of adjectives.

AWS KMS — encryption key management

Documents in storage are protected with AES-256 encryption through AWS Key Management Service, using a customer-managed KMS key. Each partner organization’s data lives in its own isolated storage bucket. Keys are managed by AWS KMS, not by application code.

AWS WAF — web application firewall

A web application firewall sits in front of the application and filters malicious traffic before it ever reaches the vault.

Amazon GuardDuty — threat detection

GuardDuty continuously monitors the infrastructure and detects suspicious API activity — so unusual behavior is flagged, not discovered after the fact.

AWS CloudTrail — audit trail

CloudTrail records an audit trail of all AWS API calls across the infrastructure. Every administrative action is logged and reviewable — the foundation for compliance work.

Encryption

Encrypted at rest, in transit, and access-controlled

At rest

Document storage uses AES-256 encryption with an AWS KMS customer-managed key, and each partner organization’s data lives in its own isolated storage bucket. Database contents and all stored credentials are encrypted as well.

In transit

All traffic is encrypted in transit with TLS 1.2+ (modern clients negotiate TLS 1.3); unencrypted connections are refused. Certificates are ACM-managed and renew automatically.

Scoped decryption

Decryption is restricted to narrowly-scoped service roles — no employee has standing access to your document content, and key use is logged. Access is limited by design, not by policy.

Professional access

Your advisor sees signals, never documents

When a financial advisor or estate attorney is linked to your vault, they see document metadata only — category, dates, and gap signals. Document content is never returned to a partner. Not hidden by a setting: never returned by the system.

Each partner’s client data also lives in its own isolated storage with access scoped to that partner alone — isolation enforced at the infrastructure level, not just in application code.

What access actually looks like

  • Partners see metadata only — never document content
  • You control who can access every document
  • Document sharing is disabled during alpha while we redesign it
  • Trusted Contacts (in development for alpha) will be view-only — no editing, no deleting
  • Document activity is logged at the application layer, with storage-level object access recorded via AWS CloudTrail data events

What we don’t claim

A trust page should be as clear about what’s absent as what’s present. So, plainly:

No SOC 2 badge

We are not SOC 2 certified today, and you won’t find a badge here implying otherwise. Foundational controls are in place; we’ll claim the certification when an auditor issues it — not before.

No superlatives

You won’t read “unhackable” or “bank-grade” on this site. Our claims are specific and checkable — AES-256, AWS KMS, named controls you can look up.

Not HIPAA-certified

Our infrastructure is aligned with HIPAA’s technical-safeguard categories — encryption at rest and in transit, audit logging, access controls — though Trusted Directive is not a HIPAA covered entity and does not claim HIPAA compliance.

Your data, your exit

Security includes the right to leave

A vault that locks you out when you stop paying isn’t secure — it’s holding your documents hostage. Ours doesn’t. One-click export of everything, any time, as a downloadable archive is in development for alpha. Cancel, and your documents remain exportable — never deleted because a card expired.

Security controls protect the vault. The Verify-Silence Release Protocol — in development for alpha — will govern when it opens, including for incapacity, where no death certificate exists. Questions about access, privacy, or cancellation? The FAQ answers them plainly.

A vault worth trusting starts with claims worth checking

Trusted Directive opens to a small first group soon. Join the waitlist and your invite lands the day we do.

Join the waitlist — your invite lands the day we open.