Compliance

Privacy is built into Iluuna's architecture, not added as an afterthought. We collect the minimum information necessary to operate the platform. We do not sell or broker personal data.

Estate content — including documents, family information, and deceased details — is never used for advertising, AI model training, or any secondary purpose.

We review privacy implications before adding new features that involve personal data.

Access to data within Iluuna is governed by explicit roles and permissions. These controls are enforced at the database level.

Collaborators can only access estate workspaces they have been explicitly invited to. Within a workspace, permissions are scoped by role — executor, family member, attorney, or advisor.

Iluuna staff access to customer data is restricted, requires explicit authorization, and is logged.

Iluuna maintains an activity log for every estate workspace. Each action taken — uploading a document, completing a task, inviting a member — is recorded with the acting user and a timestamp.

These logs are visible to authorized workspace users and support accountability within the estate administration process.

System-level events are logged separately for internal security monitoring.

Documents are stored in private, access-controlled cloud storage. No document is publicly accessible. Access is gated by authentication and workspace permissions, enforced on every request.

Documents are encrypted at rest. File access uses short-lived signed URLs, limiting exposure if a URL is intercepted.

We use managed cloud infrastructure from established providers — Supabase (PostgreSQL database and file storage, hosted on AWS) and Stripe (payment processing).

Data is stored in Canada where our infrastructure providers support it. Some auxiliary services may process data in other jurisdictions. Our Privacy Policy describes data sharing with service providers.

We keep software dependencies current and monitor for known security vulnerabilities.

The Personal Information Protection and Electronic Documents Act (PIPEDA) applies to how we handle personal information of Canadian users. We are committed to operating in alignment with PIPEDA's 10 fair information principles:

• Accountability — we take responsibility for the information under our control.
• Identifying purposes — we identify why we collect personal information before or at the time of collection.
• Consent — we obtain consent for the collection, use, and disclosure of personal information.
• Limiting collection — we collect only what is necessary for the identified purposes.
• Limiting use, disclosure, and retention — we use personal information only for the purposes for which it was collected.
• Accuracy — we keep information accurate, complete, and up-to-date.
• Safeguards — we protect information with security appropriate to its sensitivity.
• Openness — we make our privacy policies and practices available.
• Individual access — we respond to individual requests to access their personal information.
• Challenging compliance — individuals can raise concerns about our compliance with these principles.

Iluuna does not currently hold formal third-party compliance certifications such as SOC 2, ISO 27001, or HIPAA. We are transparent about this.

Our infrastructure providers (Supabase, AWS) do maintain their own certifications, which extend certain baseline security guarantees to our use of their platforms.

We intend to pursue formal certifications as the platform matures. Organizations with specific certification requirements should contact us to discuss your needs.

We are actively working toward stronger compliance posture. Our near-term roadmap includes:

• Multi-factor authentication (MFA) for all accounts
• Formal data processing agreement (DPA) available on request
• Security audit by a third-party assessor
• SOC 2 Type I assessment (target: 2027)
• Dedicated privacy officer appointment

If you have compliance questions, are conducting a vendor assessment, or have specific data handling requirements, contact us at legal@iluuna.com.

We take procurement and compliance conversations seriously and are happy to provide additional documentation on request.