Serious about security. Specific about how.

Inheritable holds some of the most sensitive records a person keeps: passwords, wills, finances, and the messages meant for the people they love. That responsibility shapes how we build, with specifics rather than adjectives. Here is exactly how your information is protected, point by point.

  • Access Control
  • Row Level Security
  • Data Encryption
  • Anti Forgery Tokens
  • Step Up Authentication
  • Rate Limiting
  • Full Audit Trail
  • Face/Touch ID
  • OAuth
  • AES 256
Encryption
Everything is encrypted in transit with TLS and at rest with AES-256 on our hosting platform. The most sensitive fields, such as the credentials in your Password Vault and Vault @ Home, policy and account numbers, carry a second layer of encryption inside the database with pgcrypto. Because the app has to show you those values when you ask for them, decryption happens server-side, for a single entry at a time, at the moment you open it, and never in bulk. Every such access is recorded in your audit log.
Authentication
Sign in with email and password, with a passkey (WebAuthn, using Face ID or Touch ID), or with OAuth through Google or Apple.
Access control
Access is enforced at the database layer with row-level security, not just in application code. The application can only ever read rows that belong to the signed-in account, so a bug in the app cannot expose another person’s data.
Audit log
Reads, shares, and access attempts are written to an audit log in the database, attributed to the account that performed them and recording the time, the originating IP address, and the device ID. Forwarded client IPs are captured so the record reflects where an action came from.
Data residency
The database and applications are hosted in the United Kingdom, within a data centre that holds SOC 2 and ISO 27001 accreditation.

On your device

The mobile app keeps your signed-in session in the device's hardware-backed secure storage, the iOS Keychain or the Android Keystore, encrypted with AES-256 and reachable only while the device is unlocked. You can switch on an app lock that asks for Face ID, Touch ID, a fingerprint, or your device passcode before anything sensitive appears, with an auto-lock timeout you set yourself. Screens that reveal a password or a recovery phrase are guarded against screenshots and screen recording, and a password copied to the clipboard is cleared again a short time later. Stored credentials are shown one at a time, decrypted only at the moment you open them, never all at once.

Signing in

You can sign in with a passkey, built on WebAuthn and confirmed with Face ID or Touch ID, so there is no password to phish or reuse. You can also use your Apple or Google account, or an email and password. On the web portal, the actions that matter most, such as deleting your account, setting a recovery phrase, or granting access to a trusted advisor, ask you to re-enter your password first. A session left open on a borrowed computer cannot be used to make an irreversible change.

In the browser

The portal's session cookie is marked HttpOnly and is only ever sent over HTTPS, so scripts cannot read it and it cannot travel over an insecure connection. Every request that changes your data carries an anti-forgery token, and repeated sign-in attempts and outgoing emails are rate-limited to blunt automated abuse. The site is served with a strict Content-Security-Policy alongside HSTS, frame and content-type protections, a tight referrer policy, and a restrictive permissions policy. Files you preview open inside a sandboxed frame, and untrusted content is sanitised before it is displayed.

The same standard in both places

However you reach Inheritable, access is enforced at the database with row-level security, so the software can only ever see records that belong to you. The web server holds no master key to your information; the few operations that need elevated access run as narrowly scoped routines, each authorised for a single job. Mobile and web share the same UK-hosted, accredited infrastructure and the same audit log, which records who opened what, when, and from where. We build to that standard whether you are planning for next week or for long after you are gone.

Reporting a vulnerability

If you believe you have found a security issue, please email support@inheritable.co.uk with the details. We take reports extremely seriously and will respond promptly.

Policies

For how we handle your data and the terms of use, see the Privacy and Terms pages. For anything else, contact the team.