How does Evaheld keep my data secure?

Data security for legacy preservation platforms is not merely a technical concern—it is a profound trust issue involving your most personal and sensitive information. Your memories, medical records, advance care directives, legal documents, passwords, financial information, and family details represent your entire life and legacy. Evaheld's comprehensive security approach protects this irreplaceable information through multiple overlapping layers of protection, ensuring your legacy remains private and secure.

The foundation of Evaheld's security is encryption—specifically, AES-256 encryption, the same standard used by banks, government agencies, and military organisations to protect their most sensitive data. AES stands for Advanced Encryption Standard, and the 256 refers to the encryption key length. This encryption is essentially unbreakable with current technology—it would take billions of years using the most powerful computers available to crack AES-256 encryption through brute force attempts. Your data is encrypted both "at rest" when stored on our servers and "in transit" when travelling between your device and our servers.

Encryption at rest means that your data is stored in encrypted form on our servers. Even if someone gained physical access to our servers or storage systems, they would find only encrypted data that is meaningless without the encryption keys. These encryption keys are themselves stored separately in secure key management systems, creating multiple layers of protection. No single person or system has access to both the encrypted data and the keys needed to decrypt it without authorisation.

Encryption in transit protects your data as it travels across the internet from your computer or mobile device to Evaheld's servers. We use HTTPS Secure HTTP with TLS Transport Layer Security encryption for all connections. This is the same technology that protects your banking transactions and online purchases, indicated by the padlock icon in your browser address bar. This encryption prevents anyone intercepting data in transit—perhaps someone monitoring public Wi-Fi networks—from reading the information being transmitted.

Data is stored in secure Australian data centres that meet international standards for physical and digital security. These data centres include physical security measures—24/7 security personnel, surveillance cameras, biometric access controls, secured perimeter fencing—ensuring that unauthorised individuals cannot physically access servers. Environmental controls protect against fire, flooding, and temperature extremes that could damage equipment. Redundant power supplies and internet connections ensure continuous operation even if primary systems fail.

Data redundancy and backups protect against data loss from hardware failures, natural disasters, or other catastrophic events. Your data is replicated across multiple servers in geographically separated locations, so if one data centre experiences problems, your information remains safe and accessible through other locations. We perform regular automated backups—typically multiple times daily—with retention of historical backups allowing recovery from accidental deletions or data corruption.

Network security protections defend against external attacks. Firewalls filter incoming and outgoing network traffic, blocking suspicious or malicious connections. Intrusion detection and prevention systems monitor for signs of hacking attempts or unusual activity, automatically blocking suspected attacks and alerting security teams. DDoS Distributed Denial of Service protection defends against attempts to overwhelm our systems with traffic and make the service unavailable.

Application security measures protect against software vulnerabilities that attackers might exploit. We follow secure coding practices during development, conduct regular security audits and penetration testing where ethical hackers attempt to find vulnerabilities, promptly apply security updates to all software components, and maintain vulnerability management programmes to identify and remediate security issues before they can be exploited.

Access controls limit who can view or modify data internally within Evaheld. Employees have access only to the minimal data necessary for their specific roles—support staff helping you with a technical issue might see your account information but not your personal content, for example. All access is logged and audited, creating an audit trail of who accessed what information and when. Background checks are performed on employees with data access, and all staff receive security training on protecting user information and recognising security threats.

Two-factor authentication (2FA) available for all user accounts adds an extra security layer beyond passwords. With 2FA enabled, logging in requires both something you know (your password) and something you have (typically a code from your phone). This means that even if someone steals or guesses your password, they cannot access your account without also having access to your second factor. We support multiple 2FA methods including SMS codes, authenticator apps, and for premium users, hardware security keys.

Password security follows industry best practices. We never store your password in readable form—instead, we use cryptographic hashing, a one-way transformation that allows verification of correct passwords without storing the actual password. If someone gained access to our user database, they would find only hashed passwords that cannot be reversed to obtain the actual passwords. We enforce minimum password complexity requirements—length, character variety—to prevent weak passwords vulnerable to guessing attacks.

Privacy protections complement security measures by limiting data collection and use. We collect only information necessary for providing Evaheld's services—your name, email, content you choose to upload. We never collect unnecessary personal information for marketing or profiling purposes. We never sell your data to third parties—your information is not a product we monetise through advertising or data brokerage. We never analyse your content for advertising targeting or other commercial purposes beyond providing the legacy preservation services you requested. We comply fully with Australian Privacy Principles under the Privacy Act 1988, giving you rights over your personal information including access, correction, and deletion.

Data sovereignty is ensured by storing Australian users' data in Australian data centres, subject to Australian privacy laws and legal protections. This prevents foreign governments or entities from accessing your data under foreign surveillance laws, a significant privacy protection compared to services storing data internationally where foreign legal systems may allow government access to user data without Australian legal protections.

Premium users receive enhanced security options for situations requiring additional protection. Enhanced authentication includes options beyond standard two-factor authentication, such as biometric authentication requirements or hardware security key mandates. Granular access controls allow specification of exactly when, how, and by whom content can be accessed—perhaps limiting access to certain Family Rooms only from specific devices or locations. Enhanced audit trails provide detailed logs of all access to your account and content, showing exactly who viewed what information at what times. These advanced features serve users managing particularly sensitive information or facing elevated security threats.

Secure sharing features ensure that when you share content through Family Rooms or Care Rooms, that sharing maintains security. Recipients access shared content through secure authenticated connections, not through insecure email attachments or public links. You control granular permissions for each room—view-only versus editing rights, specific document access, time-limited sharing. You can revoke access at any time, immediately preventing previously authorised people from accessing content. Sharing notifications alert you when people access shared content, providing transparency about who is viewing your information.

Secure data export ensures that if you want to download your data for local storage or migration to another platform, the export process maintains security. Data exports are available only to you through authenticated sessions, not through insecure methods like emailed links accessible to anyone. Exported data can include encryption for additional protection during storage on your personal devices.

Secure deletion when you choose to delete content or close your account ensures complete removal. When you delete content, it is removed from all systems including backups within a defined timeframe, typically 30 days to account for backup retention cycles. Account deletion removes all your personal information and content permanently, with no hidden retention of your data for marketing or other purposes. We provide deletion confirmation and can provide certificates of deletion if requested for compliance or legal purposes.

Incident response and breach notification procedures ensure transparent handling of any security incidents. We maintain security incident response plans defining how we detect, respond to, contain, and remediate security breaches. In the unlikely event of a data breach affecting user information, we notify affected users promptly as required by Australian privacy laws, explain what information was affected and what we are doing about it, and provide recommendations for protecting yourself such as changing passwords.

Compliance and certifications demonstrate our commitment to security standards. We work toward industry-recognised security certifications such as ISO 27001 for information security management. We undergo regular security audits by independent third-party assessors who evaluate our security controls and recommend improvements. We maintain compliance with relevant regulations including Australian privacy laws, international data protection standards, and healthcare information security requirements where applicable for medical information in Care Rooms.

Security is never "finished"—it is an ongoing commitment requiring continuous improvement as threats evolve and technology advances. We invest continually in security infrastructure, personnel, and processes. We monitor emerging threats and vulnerabilities, updating our defences accordingly. We participate in security research communities, learning from industry-wide security incidents and best practices. We view security not as a cost centre or compliance burden but as a fundamental responsibility to users trusting us with their irreplaceable legacies.

Ultimately, Evaheld's comprehensive security approach reflects our understanding that you are not just trusting us with data—you are trusting us with your legacy, your family's future access to your wishes and memories, and some of the most sensitive personal information that exists. We honour that trust through institutional-grade security measures protecting your information as carefully as banks protect financial assets or healthcare providers protect medical records. Your legacy is irreplaceable, and we protect it accordingly.