Information security policy

1. Purpose & scope

Heirlume's information security program protects the confidentiality, integrity, and availability of customer financial data, household and beneficiary information, attached documents, and the credentials our customers entrust to the credential vault. This policy applies to every system, employee, contractor, and vendor that handles Heirlume customer data.

2. Governance

Heirlume's founder is the executive accountable for information security. Day-to-day responsibility (incident triage, vendor review, access review, policy maintenance) currently rests with the founder and will transition to a dedicated security owner as the team grows. Security questions and incident reports are received at security@heirlume.ai.

3. Risk management

Risks are identified continuously through code review (every change to data-handling code paths passes a documented compliance checklist before merge), vendor due diligence, dependency vulnerability alerting, and post-incident retrospectives. Identified risks are tracked, prioritized by impact and likelihood, and mitigated within a timeline proportional to severity. Critical issues are remediated within 7 days of discovery; high within 30; moderate within 90.

4. Access control & authentication

• Customer accounts. Authentication is delegated to WorkOS AuthKit. Email + password, magic link, and Google OAuth are supported. Passwords are subject to a strong policy (10-character minimum, complexity rules, breach detection via HaveIBeenPwned, and a 5-entry password history). MFA (TOTP and SMS) is available; step-up MFA enforcement before high-risk operations is on the security roadmap.
• Workspace authorization. Every server-side query and mutation verifies that the acting user owns the workspace being accessed. Cross-workspace reads are not possible.
• Administrative access. Internal admin surfaces require a three-layer check: WorkOS sign-in, an allow-listed admin email, and a separate short-lived (8-hour) signed admin session token gated by a server secret.
• Operator access to SaaS providers. All accounts that touch customer data (Vercel, Convex, WorkOS, Anthropic, Resend, Stripe, GitHub) require multi-factor authentication. Access follows the principle of least privilege — API keys are domain-scoped (e.g., Resend) or product-scoped where the provider supports it.
• Endpoint security. Workstations used to access production systems run macOS with FileVault full-disk encryption, automatic security updates, Gatekeeper code-signing enforcement, and password / Touch ID lock.

5. Data classification & handling

Heirlume handles three classes of data:

• Confidential — financial & estate. Account balances, holdings, liabilities, beneficiary designations, real estate, business interests. Stored encrypted at rest; accessible only to the owning workspace.
• Highly confidential — credential vault. User-supplied credentials are encrypted client-side with AES-256-GCM using a key derived from the user's password and a separate vault PIN (PBKDF2, 600,000 iterations). Heirlume servers store only ciphertext and never receive plaintext credentials.
• Operational — auth, audit, billing. Stored under provider-managed encryption (WorkOS for sessions, Stripe for payment instruments, Convex for audit logs).

6. Encryption

• In transit. All client-server, server-server, and third-party API communication uses TLS 1.3 (with TLS 1.2 fallback). HSTS is enforced on heirlume.ai.
• At rest — infrastructure. Convex (our backend) encrypts the database with AES-256 on managed cloud infrastructure. Vercel applies the same on its build cache and edge storage.
• At rest — application layer for Plaid tokens. Plaid access_tokens are encrypted with AES-256-GCM using a 256-bit master key held in environment configuration; decryption happens only inside server-side actions and never on the client.
• At rest — credential vault. Zero-knowledge: ciphertext only. Loss of the user's password and PIN renders the data permanently unrecoverable by Heirlume by design.

7. Network & infrastructure

Heirlume runs on managed, SOC 2 Type II-certified cloud providers (Vercel for compute and CDN, Convex for the database). We do not run self-managed servers. Production secrets are stored in provider-managed encrypted environment variable stores; no secrets are committed to source control. All Plaid SDK calls execute server-side in Node.js runtime; Plaid credentials are not exposed to the browser.

8. Vulnerability management

• Dependency scanning. GitHub Dependabot and pnpm audit run continuously against the application's npm and Cargo dependency trees. High and critical advisories are remediated on the SLA above.
• Application code review. Every change to financial data handling, authentication, or cryptography paths passes a documented PR-time checklist before merge.
• Provider-managed scanning. Host-level vulnerability scanning, patching, and DDoS mitigation are handled by Vercel and Convex under their SOC 2 programs.
• Penetration testing. Heirlume will commission an external penetration test annually beginning within 12 months of general availability.

9. Incident response

Suspected security incidents are triaged immediately upon discovery. Containment steps may include rotating credentials, revoking sessions, taking endpoints offline, or disabling features. Affected customers are notified without undue delay and within the windows required by applicable law (e.g., 72 hours for material breaches under GDPR; state-specific timelines under U.S. data breach notification laws). Each incident closes with a written retrospective and at least one preventative action tracked to completion.

10. Vendor & subprocessor management

Vendors that process customer data are reviewed for security posture (SOC 2 / ISO 27001 / equivalent), data residency, and contractual data protection terms before onboarding. The current subprocessor list (Plaid, Convex, WorkOS, Anthropic, Vercel, Resend, Stripe) is maintained in our public Disclosures. Material additions are announced before they take effect.

11. Data retention & deletion

• Plaid item disconnect. On disconnect, the related institution, account, transaction, and holdings rows are scheduled for permanent deletion. A daily cleanup job permanently removes the data within 30 days.
• Account deletion. On user-initiated account deletion, all financial data is removed within 7 days. Compliance-required audit records (consent receipts, sync events with PII redacted) are retained for the longer of 7 years or the period required by applicable law.
• Backups. Provider-managed backups are subject to the same retention commitment; deleted data is purged from backups within the provider's rotation window.

12. Personnel

As the team grows beyond the founder, every employee and contractor with access to customer data will (a) sign a confidentiality agreement, (b) complete security awareness training before access is provisioned, and (c) be onboarded under least-privilege access which is reviewed at least quarterly. Access is revoked the same day a role ends.

13. Compliance

Heirlume is designed to operate in compliance with applicable U.S. federal and state data protection laws (including the California Consumer Privacy Act and equivalent state regimes), Plaid's End User Privacy Policy and Acceptable Use Policy, and Stripe's Services Agreement. Heirlume is not a registered investment adviser, broker-dealer, bank, or law firm; product features are deliberately scoped to remain outside those regulatory perimeters.

14. Policy review

This policy is reviewed at every major release and at minimum annually. The next scheduled review is May 2027. Customers, vendors, or regulators with questions should contact security@heirlume.ai.