Last updated 8 May 2026
Trust & security
A plain-English summary of how Heirlume is built to handle the most sensitive data in your life. The detailed technical posture lives on our security page.
Three commitments
- We do not sell your data. Heirlume's revenue comes from subscription fees. There is no advertising business and no data-broker partnerships. The full commitment lives in our privacy policy.
- Documents and credentials are encrypted at rest. Estate documents are AES-256-GCM encrypted in Convex storage. The credential vault is encrypted in your browser using a key derived from your password and Vault PIN — Heirlume's servers never see the plaintext.
- We use vetted infrastructure. Every subprocessor we rely on for hosting, identity, payments, financial connectivity, AI, and email is independently SOC 2 Type II certified. (Detail below.)
Infrastructure
Heirlume runs on managed services that are independently SOC 2 Type II certified. We chose providers whose own audits we can rely on so that your data sits inside a hardened perimeter from the day you sign up.
- Vercel — application hosting and edge delivery
- Convex — application database and document storage
- WorkOS — authentication and session management
- Plaid — financial account connectivity
- Stripe — subscription billing
- Anthropic — AI document extraction and estate-intelligence features (no training on your inputs)
- Resend — transactional email delivery
Heirlume's own SOC 2 status
Heirlume itself does not yet hold a SOC 2 report. We've adopted the controls a SOC 2 audit examines — encrypted-at-rest storage, TLS-only transport, role-based access, signed-token invitations, audit logging, documented subprocessors, and the principle that the smallest possible amount of data leaves your browser. A formal Type II audit is on our roadmap as we approach the general availability of our Family Office tier.
Until then, we believe the right framing is: Heirlume runs on SOC 2-certified infrastructure, and we don't claim certifications we don't yet hold.
What's encrypted, and how
- Documents. Encrypted at rest in Convex storage.
- Plaid access tokens. Encrypted with AES-256-GCM using a server-side key. The browser never sees the token.
- Credential vault. Encrypted in your browser using AES-256-GCM with a key derived from your password and Vault PIN via PBKDF2 (600,000 iterations). Heirlume's servers never see your plaintext credentials — not even hashed.
- Transit. TLS-only. There is no insecure HTTP fallback in production.
Authentication and access
Sign-in goes through WorkOS AuthKit, with multi-factor authentication supported. Beneficiaries, executors, trustees, and guardians you invite connect through consent-based, role-aware tokens that you can revoke at any time. Each role sees only what you've authorized.
What we don't store
We don't store your bank login credentials — Plaid does. We don't store full credit card numbers — Stripe does. We don't store unencrypted copies of your vault credentials anywhere on our servers. We don't track you across the web.
Reporting a vulnerability
Security researchers and customers can report concerns to security@heirlume.ai. We commit to acknowledging reports within two business days and to good-faith collaboration with researchers acting in good faith.
Vendor reviews
Advisors, family offices, and enterprise prospects who require formal documentation should contact legal@heirlume.ai. We can share our security controls summary, subprocessor list, and the underlying SOC 2 reports of our infrastructure providers under NDA.
This page summarizes Heirlume's current security and compliance posture in plain English. The full technical detail lives at /legal/security.