All Policies

Security Overview

How we protect your data at Exhale Vault.

1. Encryption at Rest

All personal information stored in Exhale Vault is encrypted at the database level using field-level encryption. This means each piece of sensitive data is individually encrypted — not just the disk it sits on.

Encrypted fields include:

  • Identity data — names, email addresses, phone numbers, physical addresses.
  • Vault contents — item names, descriptions, collection details, and all rich text content.
  • Sensitive documents — credentials (usernames, passwords), banking records (account numbers, card numbers, routing numbers), and all document details.
  • Billing information — billing email and any additional billing details.
  • Authentication tokens — OAuth access tokens and secrets for connected accounts.

Fields that need to be searchable (like email for login) use deterministic encryption, which allows exact-match lookups without decrypting the entire database. All other sensitive fields use randomized encryption with unique initialization vectors, providing the strongest protection.

2. Encryption in Transit

All connections to Exhale Vault use HTTPS with TLS encryption. We enforce this in several ways:

  • HTTP requests are automatically redirected to HTTPS.
  • We enforce HTTP Strict Transport Security (HSTS), which tells your browser to always connect securely — even if you type a plain HTTP address.
  • All cookies are marked as secure, meaning they're only transmitted over encrypted connections.
  • SSL certificates are managed and renewed automatically.

3. Authentication

Your password is hashed using bcrypt with 12 rounds of key stretching. Even if someone obtained a copy of our database, they could not reverse your password from its hash.

Two-factor authentication (2FA) is available for all accounts. We support time-based one-time passwords (TOTP) compatible with any standard authenticator app. When you enable 2FA, you also receive one-time backup codes for account recovery.

Additional protections:

  • Password reset tokens expire after 6 hours.
  • After a password reset, automatic sign-in is suppressed for accounts with 2FA enabled.
  • Sensitive data — passwords, tokens, email addresses, IP addresses, and names — is filtered from all application logs.

4. Permissions & Access Control

Exhale Vault distinguishes between two types of people: users and contacts.

Users can sign in to Exhale Vault, take actions, and manage content based on their role. Contacts are people you've added to your vault — family members, attorneys, financial advisors, and others — but they cannot sign in or access the application directly. They exist so you can organize important information about the people in your life.

Vault ownership

Every vault has an owner — the user who created it. The owner has full administrative access to everything in the vault: lists, items, documents, and settings. Ownership cannot be transferred or revoked.

Vault holders

Each vault has one or two holders — the people the vault is for. A vault with one holder is organizing information for a single person. A vault with two holders is organizing information for a couple.

Holders can be either users (who can sign in) or contacts (who cannot). The vault is named after its holders, and items within the vault can be shared between both holders or split into individual copies — so each person has their own version of something like a life insurance policy or medical directive. Holder records are protected from accidental deletion.

Account roles

Every user on your account has an account role that controls what they can do at the account level:

  • Admin — can manage account settings, billing, and other users on the account.
  • Member — can use the account but cannot change account settings, billing, or manage other users.

Account roles only govern account-level functions. Access to vault content is controlled separately through permissions.

Vault permissions

Vault permissions are a separate system that controls what a user can see and do inside a vault. When you grant someone access to a vault, they're assigned a permission level:

  • Admin — full control over the vault and everything inside it, including managing other users' permissions.
  • Editor — can create, edit, and organize vault content (lists, items, documents, contacts). Cannot manage permissions.
  • Viewer — read-only access. Can view vault content but cannot create, edit, or delete anything.

Permissions are granular — they can be set at the vault level, the list level, or even on individual items and documents. A user might have editor access to one list and viewer access to another within the same vault.

Permissions also inherit downward: if you grant someone editor access to a vault, they automatically have editor access to every list, item, and document inside it — unless a more specific permission overrides that default.

5. Payment Security

All payment processing is handled by a PCI DSS Level 1 certified payment processor — the highest level of certification in the payment industry.

Your credit card number never touches our servers. When you make a purchase, you're taken to a hosted checkout page run by our payment processor. Card details are entered directly on their infrastructure. We receive only a customer ID and transaction confirmation.

A note about vault-stored financial records: your Exhale Vault may contain documents where you've recorded your own financial information (card numbers, account numbers, PINs) as personal records. These are encrypted at rest like all vault content and are entirely separate from our payment processing — they're treated as your private documents, not as payment instruments.

6. File Storage

Uploaded files — photos, documents, avatars — are stored on private cloud storage in the United States.

  • The storage bucket is private — it is not publicly accessible.
  • Files are served through our application using a proxy, not via direct storage URLs. This means every file request goes through our authentication layer first.
  • There are no publicly accessible file URLs. You must be authenticated and authorized to access any file.

7. Data Deletion

When you delete items from your vault, they are soft-deleted — moved to trash and recoverable for 30 days. After 30 days, they are permanently removed from the database.

When you delete your account, we use hard-delete — your data is irrecoverably removed from the database in a single transaction. This includes all vaults, lists, items, documents, contacts, conversations, and associated records. Uploaded files are removed from our storage servers within 30 days.

Most data in your vault uses soft-delete during normal operation, giving you a safety net against accidental deletion. Account closure bypasses this and deletes everything permanently.

8. AI Data Handling

AI features are gated by a three-tier consent model. You control whether AI features are active, which vaults the AI can access, and whether to grant access on a per-session basis. See our Privacy Policy for full details.

Your data is classified into three tiers:

  • Tier 1 (structural) — vault names, list names, item counts. Shared with AI only when you've enabled the coach.
  • Tier 2 (personal) — item names, contact names. Shared only with explicit vault-level consent.
  • Tier 3 (sensitive) — document contents, credentials, banking details, billing info. Never sent to any AI provider, under any circumstances. This is enforced in code.

We do not train AI models on your data. AI processing uses real-time API calls — your data is not retained by providers beyond their standard processing windows.

For details on what data we collect and how we use it, see our Privacy Policy. For our terms of use, see our Terms of Service. Questions? Email us.