Encryption
- In transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on every page.
- At rest: All data stored in our database is encrypted at rest using AES-256. Death certificate files stored in cloud object storage (AWS S3) use server-side encryption with managed keys (SSE-S3).
Authentication and Access Control
- Family access: Dashboard access is granted via cryptographically signed magic links (HMAC-SHA256) sent to your email. Each link expires after 24 hours. No passwords are stored.
- Administrative access: All internal staff access requires multi-factor authentication (MFA/2FA) through our identity provider.
- Row-level security: Database-level access controls ensure that each family can only access their own case data. Even if a vulnerability were exploited, one case cannot see another.
- Service-to-service auth: Internal API communication between our processing agents uses signed service keys, verified on every request.
Infrastructure
- Our application and database are hosted on SOC 2-compliant cloud infrastructure with automated backups, redundancy, and disaster recovery.
- Death certificates and other sensitive documents are stored in isolated, encrypted cloud storage with strict access policies.
- All third-party service providers (payment processing, email delivery, document signing) are selected for their security certifications and sign Data Processing Agreements.
Application Security
- Content Security Policy (CSP): We enforce a strict CSP that prevents cross-site scripting (XSS), restricts frame embedding, and limits resource origins.
- Clickjacking protection: X-Frame-Options: DENY is set on all responses.
- Webhook verification: All inbound webhooks from payment processors, email services, and SMS providers are verified using cryptographic signatures before processing.
- Input validation: All user inputs are validated and sanitized server-side to prevent injection attacks.
- Dependency management: We regularly audit and update third-party dependencies to address known vulnerabilities.
Data Handling Practices
- Minimal data collection: We collect only the information necessary to perform the filings and closures you request.
- No data selling: We never sell, rent, or trade your personal information to third parties for marketing or any other purpose.
- AI data handling: Case data processed by our AI-powered agents is used only in real time for your specific request. Our AI provider does not retain or train on your data.
- Retention limits: We retain case data only as long as necessary for the engagement plus legally required record-keeping periods. Death certificates are deleted within 90 days of case closure.
Incident Response
In the unlikely event of a data breach or security incident:
- We will investigate, contain, and remediate the incident immediately.
- Affected users will be notified within 72 hours of confirmation, in compliance with applicable state breach notification laws (including the Texas Identity Theft Enforcement and Protection Act).
- We will provide clear guidance on any steps you should take to protect yourself.
Responsible Disclosure
If you believe you have found a security vulnerability in our Service, please report it to security@gracesettle.com. We ask that you:
- Provide enough detail for us to reproduce and confirm the issue
- Allow us reasonable time to address the vulnerability before any public disclosure
- Do not access, modify, or delete data belonging to other users
We will acknowledge receipt within 48 hours and work to resolve confirmed vulnerabilities promptly.