HeirlumeBack
Security

How Heirlume protects your data

Estate data

Names, addresses, account balances, and beneficiary designations live in Convex with encryption at rest. Sensitive PII (SSNs) is field-level encrypted.

Credentials

The credential vault is zero-knowledge. We derive an encryption key from PBKDF2(password + Vault PIN, salt, 600,000 iterations) in your browser using the Web Crypto API. The server never sees plaintext credentials, your Vault PIN, or your Trustee Override Code.

Compliance posture

  • • AI plan output is informational. Every entity recommendation is flagged for licensed-attorney review.
  • • We do not aggregate financial accounts via Plaid in Phase 1, so we are not GLBA-regulated yet. When Plaid arrives we will implement GLBA Safeguards Rule controls.
  • • Data export and deletion are available under Settings → Security per CCPA / state privacy laws.