Security & Trust
How we protect your data — in plain English.
We hold passwords, medical directives, and family secrets. We owe you specifics, not slogans. Here is exactly what we do, what we don't do yet, and how to reach us about security.
Summary
- Your password vault is encrypted on your device with AES-256-GCM before it ever reaches our servers (zero-knowledge — we cannot decrypt it).
- All traffic uses TLS 1.2 or higher in transit.
- Other data lives in Supabase Postgres with encryption at rest, row-level security, and role-based access controls.
- Authenticator-app (TOTP) two-factor authentication is available, with backup codes hashed with SHA-256 server-side.
- We have not completed a SOC 2 or ISO 27001 audit yet. We will publish a Trust Centre with reports the moment we do.
Detailed matrix
| Data type | At rest | In transit | Can Sort My Legacy read it? |
|---|---|---|---|
| Passwords, vault entries, crypto seeds | AES-256-GCM, key derived from your master password via PBKDF2 (310,000 iterations) on your device | TLS 1.2+ | No — zero-knowledge |
| Financial inventory, will draft, family roster | Supabase Postgres at-rest encryption (cloud-provider-managed keys) | TLS 1.2+ | Yes — under strict access controls; only used to deliver the product or comply with a lawful request |
| Uploaded documents (PDFs, scans, photos) | Supabase Storage at-rest encryption + per-user access policies | TLS 1.2+ | Yes, technically. We don't browse them. |
| Backup codes (for 2FA recovery) | SHA-256 hashed before storage | TLS 1.2+ | No |
Two-factor authentication
Set up TOTP via Google Authenticator, 1Password, Authy, or any standard authenticator app. We generate 8 backup codes at setup so you never get locked out. Backup codes are SHA-256 hashed server-side; we don't store them in clear.
HTTP security posture
HSTS preload (Strict-Transport-Security with includeSubDomains; preload)X-Frame-Options: DENY (clickjacking protection)X-Content-Type-Options: nosniffReferrer-Policy: strict-origin-when-cross-originPermissions-Policy: camera, microphone, geolocation all locked offCross-Origin-Opener-Policy: same-origin-allow-popups (required for Google OAuth)
Verify any of the above by inspecting response headers with curl -I, or via Mozilla Observatory.
Compliance posture
DPDPA (India's Digital Personal Data Protection Act 2023): we follow the principles — purpose limitation, minimisation, retention, breach notification — and our Privacy Policy spells them out. SOC 2 Type II and ISO 27001 are on the roadmap; we will not claim them until they are completed and the reports are public.
Sub-processors
We list every third party that touches your data and what they touch.
- Supabase (database, storage, auth) — Singapore region
- Vercel (hosting, edge) — global
- Firebase Auth (Google OAuth) — Google Cloud
- Resend (transactional email)
- Razorpay (payments) — Indian payment processor
- Lemin / WPBox (WhatsApp Business Platform)
Responsible disclosure
Found a security issue? Email security@bindalinfotech.com (also accepts the support email below). We will acknowledge within 24 hours, fix critical issues within 7 days, and credit you in our changelog if you want.