Here at Everplans we are very serious about your security. We realize that you are trusting the Everplans service with the most important information and documents you own. Your important personal information is encrypted and protected with industry-leading technology and security is part of our culture and an ongoing part of the life of our company.
Securing Your Data at Rest
Within our systems, all your data is stored using AES-256 encryption with a uniquely derived key for each user following the recommendations of NIST Special Publication 800-132. We encrypt every single personally identifiable field in the database, including your name and email address. For searching and indexing, we hash a small number of fields using HMAC. We apply the same encryption technique to all files you upload.
As with all systems such as ours, the security of your information depends on you. You must choose a strong password (we enforce that as best we can) and you should never share your password with anyone. Everplans provides a much more secure system for sharing information with those you care about via our deputy function.
Securing Your Data in Transit
All communications between you and Everplans are encrypted via SSL using 2048-bit certificates and we require SSL on all communications. We are implementing perfect forward secrecy (https://en.wikipedia.org/wiki/Forward_secrecy) so that even if someone eavesdrops on your communication, they will still not be able to decrypt the data in the event that our key is compromised.
Operational Procedures to Keep the Site Secure
Everplans follows best practices to keep your data secure. In addition to severely restricting access to operational enviroments (including private keys), we regularly audit our enviroments and code for security issues and apply patches expeditiously. We use commercial services that regularly check our site (including McAfee Secure) and we also retain our own security experts to probe and verify the security of our site.
Administrative Access to your Information
Because your security and privacy is paramount to us, we limit what access our administrators have to your account to the limited set of data necessary to help grant you access to your account (by triggering confirmation emails, for example) and help you restrict access to your account in urgent circumstances (such as by limiting or removing a deputy's access). Everplans administrators can never see the plan information that you fill out or any documents that you upload. They may have access to limited meta-data (such as whether or not you uploaded a will) but not the data itself (they will never be able to see the will you uploaded). Everplans logs and regularly audits all accesses to your account, whether by you, an administrator or your deputies.