Bank-grade security for
your family's spark notes.
EmberKeep doesn't store your bank accounts, passwords, or sensitive documents. It stores the spark notes — a secure map that points your family to the right places, people, and accounts. That map is protected with enterprise-grade encryption.
Enterprise
cloud infrastructure
AES-256
encryption at rest & in transit
Healthcare-level
security practices & access logs
Zero-access
staff cannot read your vault
Enterprise cloud infrastructure.
Your vault runs on enterprise-grade cloud infrastructure with dedicated security controls at every layer — database, storage, and application.
Supabase — Managed PostgreSQL
All structured vault data lives in a fully managed PostgreSQL database hosted on Supabase with Row Level Security (RLS) enforced on every table. The database is encrypted at rest using AES-256, with network isolation and automated daily backups.
Encrypted at rest
AES-256 default encryption on all disk volumes
Row Level Security
RLS policies on every table — users can only access their own data
Automated backups
Daily automated backups with point-in-time recovery
Supabase Storage
Uploaded documents and files are stored in Supabase Storage with server-side encryption. Files are accessed via signed URLs with short expiration windows — no public access.
Global CDN via Vercel Edge
The EmberKeep application is served through Vercel's global edge network, reducing latency and ensuring fast load times regardless of where your family members are located.
99.9% uptime SLA
Supabase and Vercel's edge network provide a 99.9% uptime service level agreement. Your vault is available when your family needs it — including in an emergency.
Your data is encrypted end-to-end.
Every piece of information you store in EmberKeep is protected by multiple layers of encryption — the same standard used by banks, hospitals, and defense contractors worldwide.
AES-256 encryption at rest
All vault data stored in Supabase PostgreSQL and Storage is encrypted using AES-256 — the encryption standard adopted by the U.S. government for top secret information. Your data is unreadable without the decryption key.
TLS 1.3 in transit
All data in motion between your browser and EmberKeep servers is encrypted using TLS 1.3 — the latest and most secure version of the transport protocol. This means your data cannot be intercepted or read on the wire.
Server-side encryption (AES-256)
Uploaded documents are stored with server-side AES-256 encryption managed by Supabase's infrastructure. Encryption keys are managed separately from the data they protect, ensuring defense in depth.
Zero-access architecture
Your spark notes are never read by EmberKeep staff. Your maps to accounts, wishes, and instructions are private by design — not just policy. No employee, engineer, or executive can read what you've written.
AES-256
at rest
TLS 1.3
in transit
AES-256
file encryption
Zero-access
staff policy
Only you can access your vault.
Every request to EmberKeep is authenticated and verified. There are no back doors, no admin overrides, and no way for unauthorized parties to access your information.
Clerk-powered authentication
EmberKeep uses Clerk for identity management — a SOC 2 Type II certified authentication provider. Your login credentials are never stored by EmberKeep directly.
Multi-factor authentication
MFA is supported and encouraged. Add an authenticator app or SMS second factor to your account for an additional layer of security beyond your password.
Row-level security
Every database table enforces Row-Level Security (RLS) policies. Even at the database level, queries are scoped to your authenticated user — no cross-account data leakage is possible.
Session verification on every request
Every API call to EmberKeep is independently verified against your authenticated session. There is no caching of authorization decisions — each request earns its own access.
Full audit log
Every login, every vault view, and every change is recorded with a timestamp, IP address, and device fingerprint. You can see exactly who accessed your vault and when.
Geographic redundancy
Your vault runs on Supabase's managed infrastructure with automated daily backups and point-in-time recovery. The EmberKeep application is served via Vercel's global edge network across 30+ regions.
Access control checklist
Your privacy is non-negotiable.
EmberKeep does not monetize your data — ever. Your personal information is not a product. It is a trust.
No data sold to third parties — ever
EmberKeep does not sell, license, or share your personal vault data with advertisers, data brokers, or any third party. Your information is used only to provide the EmberKeep service to you.
No advertising targeting based on vault content
We do not analyze your vault content for advertising purposes. What you write about your medical wishes, financial accounts, or personal messages is not used to serve you ads — here or anywhere else.
Data portability — export your full vault
You can export your complete vault at any time — formatted as a readable PDF for your attorney, an encrypted archive for personal backup, or a structured file for migration to any other service. No lock-in.
Right to deletion — all data purged on request
You can request full account deletion at any time. When you do, all vault data, uploaded documents, AI conversation history, and account information are permanently and irrevocably deleted from our systems.
Export formats available anytime
Your data is always yours to take. Download a copy in any format — no waiting, no approvals required.
Built for sensitive data.
EmberKeep is designed to meet the compliance requirements of the most regulated industries — healthcare, finance, and legal — because that is the level of care your information deserves.
Healthcare-level security practices
- Encryption at rest and in transit aligned with HIPAA Technical Safeguards
- Access controls with unique user identification and automatic logoff
- Audit logs for all access to protected information
- Data integrity controls and transmission security
Business Associate Agreement — Roadmap
- BAA execution planned as part of infrastructure roadmap
- Evaluating HIPAA-eligible cloud services for BAA coverage
- Covers database, storage, and related services
- Timeline aligned with enterprise compliance milestones
SOC 2 Type II — compliance roadmap
- SOC 2 audit process initiated
- Controls mapped to Trust Services Criteria
- Clerk (authentication) is SOC 2 Type II certified
- Full SOC 2 Type II certification targeted for 2026
California CCPA compliant
- Right to know what personal information is collected
- Right to deletion — full account and data purge on request
- Right to opt-out of sale (we never sell data)
- Right to non-discrimination for exercising CCPA rights
Your data is yours.
Export your complete vault anytime as a PDF or downloadable backup.
Full data export
Your data is yours. Export your complete vault anytime as a PDF or downloadable backup.
90-day discontinuation notice
EmberKeep commits to providing 90 days' notice before any discontinuation of service, ensuring you have time to export your data.
Enterprise encryption
All vault data is stored with AES-256 encryption at rest in Supabase's SOC 2 Type II certified infrastructure.
Business continuity commitments
Trusted with life's most important information
Start organizing your most
important information.
Your family deserves to know exactly what you have, where it is, and what you want. EmberKeep protects that information with the security it deserves.
Free to start · $99 Eternal · AES-256 encryption · 30-day money-back guarantee