Security · Privacy
How we protect your documents
We hold ourselves to a standard you would expect of a private bank, not a consumer software product. This page is plain English, on purpose.
Encryption at rest
Every document you upload is encrypted with its own unique key using AES-256-GCM, an industry-standard algorithm trusted by governments and financial institutions. That key is then wrapped by a master key held in a hardware-protected key management service. We never store decryption keys alongside your data.
Access control
No Legatus employee can read your documents without an authenticated request from you or a fully verified release event. Row-level security is enforced inside our database, not just in application code, so a mistake in one layer cannot expose another customer's data.
Authentication
Multi-factor authentication is required for every account before any document is uploaded. Recovery codes are generated once and stored by you, not us. Sessions expire after 30 minutes of inactivity and 12 hours of absolute use.
Audit trail
Every meaningful action on your account is recorded permanently — uploads, access, designations, claims, votes, and releases. The log is append-only; even we cannot rewrite it. You can review your full history at any time.
Honest limits
Today, we use server-side encryption. That means a sufficiently determined breach of our infrastructure could, in theory, expose documents. We mitigate that risk with a managed KMS, strict access boundaries, and SOC 2 controls (targeting Type I within twelve months of launch). A future release will offer a zero-knowledge mode for those who want it; we will not ship it until it has been independently reviewed by professional cryptographers.
Subprocessors
We use Supabase (database and storage), Vercel (application hosting), Resend (email), and Twilio (SMS notifications). All are bound by data processing agreements appropriate for personal and sensitive data.
Questions? Write to security@legatusvault.com. We answer every message.