Security
Security is the product.
You are trusting us with your family's most sensitive information. Here is exactly how we protect it — in plain language, with specifics.
Zero-knowledge encryption.
We cannot read your vault. Ever. Not our engineers, not our CEO, not anyone with database access. This is not a promise — it is a mathematical impossibility.
AES-256-GCM encryption
The same encryption standard used by the US government for top-secret data. Every vault entry is encrypted with a unique initialization vector (IV) and authenticated to prevent tampering.
PBKDF2 at 600,000 iterations
Your vault password is used to derive an encryption key using PBKDF2 — 600,000 iterations, the 2023 OWASP recommendation and the same standard used by 1Password.
Your password never leaves your device
Encryption happens on your device before data is transmitted. We never see your vault password. We cannot recover it if you lose it. This is by design.
Encrypted before it reaches us
Your vault contents are encrypted ciphertext before they leave your browser. Our servers store only ciphertext, IVs, and salts. We never see plaintext vault data.
Built on infrastructure you already trust.
Every component of our stack is independently audited and certified.
| Service | Provider | Certification |
|---|---|---|
| Database | Supabase | SOC 2 Type II |
| Hosting | Vercel | SOC 2 Type II |
| Payments | Stripe | PCI DSS Level 1 |
| Resend | SOC 2 Type II | |
| Video | Mux | SOC 2 Type II |
| File storage | Backblaze B2 | SOC 2 Type II |
We test what we claim.
Security claims without testing are marketing. Here is what we have actually verified.
Internal penetration test completed May 2026
34 tests across 10 attack categories. 10 vulnerabilities found and fixed. Full report available to enterprise customers on request.
Professional penetration test
Scheduled before public launch. Results will be published on this page.
Rate limiting on all sensitive endpoints
Login, signup, AI features, death verification, and all API endpoints are rate limited using Upstash Redis. Brute force attacks are blocked automatically.
Security headers on every response
Strict-Transport-Security (HSTS with preload), X-Frame-Options: DENY, Content-Security-Policy, X-Content-Type-Options: nosniff, Referrer-Policy, and Permissions-Policy.
Your data. Your control.
You own your vault. We operate the infrastructure that protects it. That is the entire relationship.
Zero-knowledge means zero access
Even a court order cannot compel us to produce your vault contents — we do not have the decryption key. You do. This is a mathematical guarantee, not a policy decision.
Delete anytime — permanently
Account deletion is immediate and irreversible. We cannot recover deleted vault data. Your data is purged from all systems, backups included, within 30 days.
No advertising. No data sales. Ever.
We do not sell your data, build advertising profiles, or share your information with any third party except the infrastructure providers listed above. Our revenue is subscriptions. Period.
Service continuity commitment
If Passed Plan ever ceases operations, you receive 90 days notice and full vault export tools. Your family's access does not depend on our company surviving.
Report a vulnerability
Found a security issue? We want to know. Email security@passedplan.com — we respond within 24 hours. We pay for verified vulnerabilities.
View Bug Bounty Program →