IVORYSAFE LLC ("IvorySafe", "us", "our", and "we") built its service to hold some of the most sensitive information in your life. This Security Policy ("Policy") explains the technical and organizational measures we use to protect that information, what we can and cannot access, and the responsibilities that remain with you. This Policy applies to our website located at www.ivorysafe.com, the IvorySafe app, and our other products and services (collectively referred to in this Policy as the "Site"). This Policy should be read in conjunction with our Terms of Use and Privacy Policy, into which it is incorporated. Capitalized terms used in this Policy and not otherwise defined will have the meaning set forth in the Terms of Use. This Policy applies to persons who (i) open an Account or upload Deposit Materials to the Site ("Subscribed Users"), (ii) are authorized by a Subscribed User to have access to Deposit Materials ("Emergency Contacts"), or (iii) otherwise use or attempt to use the Site (collectively, "Users", "you" and "your").

1. END-TO-END ENCRYPTION OF DEPOSIT MATERIALS

Your Deposit Materials are protected by end-to-end encryption. This means:

  • Deposit Materials are encrypted on your device, before they are transmitted to us. They travel to our servers in encrypted form and are stored in encrypted form.
  • Your Account password is the encryption key that unlocks your Deposit Materials. Your password is entered on your device and never transmitted to or stored by us. We do not have a copy, and we cannot reset or recover it.
  • We do not have the ability, nor do we intend, to review, monitor, or access the contents of your Deposit Materials. What we store is an encrypted block of data that is unreadable to us and to anyone else who does not have your password. BECAUSE WE DO NOT HOLD YOUR PASSWORD, WE CANNOT RECOVER IT OR YOUR DEPOSIT MATERIALS IF YOUR PASSWORD IS LOST. THIS IS AN INTENTIONAL DESIGN TRADE-OFF THAT MAKES THE SERVICE SECURE.

2. INFORMATION WE CAN ACCESS

To operate your Account and provide the Services, we maintain access to a limited set of information outside your encrypted vault, including:

  • Your name and email address;
  • Your phone number, which we use to verify your identity when you log in;
  • Your subscription and payment status, as processed by our third-party payment processor (we do not collect or store your credit card information);
  • Login activity, such as when you logged in and from what device;
  • The name, email address, and phone number of the Emergency Contacts you designate, which we use to reach them;
  • The emails and text messages we send for and to you, such as the invitation an Emergency Contact receives when you add them; and
  • Which sections of your vault you have started or completed, but never the contents of those sections. We cannot access your Account password, account numbers, passwords or PINs stored in your vault, documents, files, or photos you have uploaded, information about your family, home, or finances, or anything else written, uploaded, or saved inside your vault.

3. ENCRYPTION IN TRANSIT AND AT REST

All communication between your device and our servers is encrypted in transit using industry-standard transport layer security (TLS). Deposit Materials are additionally encrypted on your device before transmission as described in Section 1, and remain encrypted at rest on our storage infrastructure. Backups of encrypted Deposit Materials are themselves stored in encrypted form.

4. AUTHENTICATION AND MULTI-FACTOR AUTHENTICATION

Every login to the Site is verified by multi-factor authentication: a one-time code is sent to the phone number you verified at signup, and must be entered to complete the login. You may choose to trust a device for thirty (30) days at a time, during which you will not be asked to enter a verification code on that device. Identity verification and vault decryption are separate systems. The one-time code confirms that you control the phone number associated with your Account; it has no connection to encryption. Your password is the only key to your vault, and it decrypts your Deposit Materials locally on your device.

5. INFRASTRUCTURE AND HOSTING

Our application runs on Digital Ocean infrastructure. Encrypted Deposit Materials and backups are stored on Amazon Web Services (AWS) S3. Both providers operate data centers in the United States with physical security controls and redundancy. Because Deposit Materials are encrypted on your device before they leave it, our infrastructure providers see only encrypted data. We have built IvorySafe to SOC 2 standards from day one, applying the controls and practices a SOC 2 audit would look for, including access controls, change management, vendor management, and incident response procedures.

6. PAYMENT SECURITY

All payments are processed by our third-party payment processor (currently Stripe). Your credit card information is entered directly on the payment provider’s secure platform. We do not collect, store, or have access to your full credit card information.

7. SECURITY INCIDENTS AND BREACH NOTIFICATION

No company can promise that nothing will ever go wrong. However, because of how IvorySafe is built, a compromise of our servers would not expose the contents of your vault: an attacker would obtain encrypted data that cannot be read without your password, which we do not hold. In the event of a security incident affecting your information, we will:

  • Notify affected Users promptly, with clear next steps;
  • Explain what we know, what we do not know, and what we are doing in response; and
  • Comply with applicable data breach notification laws.

Vault contents would remain encrypted and unreadable to anyone without your password.

8. LEGAL REQUESTS

We may be legally compelled to produce the information we possess, which consists of encrypted Deposit Materials and the Account information described in Section 2. We cannot be compelled to produce the readable contents of your vault, because we do not possess them in readable form and do not hold the password required to decrypt them.

9. YOUR RESPONSIBILITIES

End-to-end encryption shifts certain responsibilities to you. You are responsible for:

  • Choosing a strong, unique Account password. We recommend using a reputable password manager;
  • Keeping your password somewhere safe. We cannot recover it for you, and if it is lost, your Deposit Materials cannot be decrypted;
  • Maintaining access to the phone number you verified at signup, which is required for every login;
  • Choosing Emergency Contacts you trust completely, and setting waiting periods you are comfortable with;
  • Keeping your Account login information confidential, logging out after use on shared devices, and notifying us immediately at support@ivorysafe.com of any unauthorized use or suspected breach of security.

10. REPORTING SECURITY VULNERABILITIES

If you believe you have discovered a security vulnerability in the Site, please report it to us at support@ivorysafe.com. We ask that you act in good faith: do not access, modify, or delete data belonging to others, and give us a reasonable opportunity to remediate the issue before any public disclosure. We will acknowledge reports promptly and keep you informed as we investigate.

11. NO GUARANTEE

While we work to protect the security of all content and Accounts, no website or Internet transmission is completely secure, and we cannot guarantee that unauthorized access, hacking, data loss, or other breaches will never occur. Please refer to our Terms of Use for applicable disclaimers and limitations of liability.

12. CHANGES TO THIS POLICY

We may revise this Policy from time to time. The most current version will always be posted on our website. If we make a change that, in our sole discretion, is material, we will notify you, for example via email to the address associated with your Account and/or by posting a notice within IvorySafe.

13. CONTACT US

If you have questions about this Policy or the security of the Site, contact us at support@ivorysafe.com, or by mail at: IVORYSAFE LLC, Attn: Security, 12401 S 450 E, Suite F1, Draper, UT 84020.