Security

All data transmitted between your browser and Iluuna is encrypted using TLS (Transport Layer Security). This means your login credentials, estate data, and uploaded documents are protected in transit.

Documents stored in the Iluuna vault are encrypted at rest. The encryption keys are managed separately from the stored data.

Iluuna accounts are protected by email and password authentication. Passwords are hashed using industry-standard algorithms — we never store your password in plain text.

Sessions are managed with secure, time-limited tokens. Logging out invalidates your session immediately.

We strongly recommend using a strong, unique password for your Iluuna account. We plan to add multi-factor authentication (MFA) in a future release.

Access to data within Iluuna is controlled at multiple levels. Organization administrators can only access the estates and data belonging to their organization.

Estate-level access requires an explicit invitation. A family member, attorney, or advisor can only see an estate workspace if they have been invited to it by the executor or organization administrator.

Iluuna engineering and support staff do not have routine access to estate content. Access to production data is restricted, logged, and requires documented justification.

Each collaborator in an estate workspace is assigned a role — executor, family member, attorney, or advisor. Permissions vary by role.

For example, executors have full access to the workspace, while other collaborators may have read-only access to certain sections. Role-based permissions prevent over-sharing of sensitive information.

These permissions are enforced at the database level, not just the interface level — meaning they cannot be bypassed by manipulating the application.

Documents uploaded to Iluuna are stored in private, access-controlled storage. Files are not publicly accessible — every download request is authenticated and checked against your permissions.

Signed URLs with short expiry times are used for document access. These URLs expire quickly, limiting the window for unauthorized access if a link were to be shared.

Documents are associated with a specific estate workspace. Collaborators in one estate workspace cannot see documents from another, even within the same organization.

Iluuna maintains an activity log for each estate workspace. Every significant action — uploading a document, completing a task, inviting a collaborator — is recorded with a timestamp and the user who performed it.

This audit trail is visible to authorized users within the workspace. It helps families and executors understand what has happened and who took each action.

Activity logs are retained for the life of the estate workspace.

Each organization's data is logically isolated from all other organizations. Row-level security policies in our database ensure that one organization cannot access another's data, even if they share the same underlying infrastructure.

Estate workspaces within an organization are also isolated from one another — a collaborator on one estate cannot see data from a different estate, even if they belong to the same organization.

Iluuna is built on managed cloud infrastructure. Our database and storage infrastructure is provided by Supabase, which runs on AWS. Payment processing is handled by Stripe.

We rely on our infrastructure providers for physical security, network security, and hardware-level protections. These providers maintain their own rigorous security programs.

We keep our dependencies up to date and monitor for known vulnerabilities in third-party packages.

If you discover a security vulnerability in Iluuna, please report it to us responsibly. Email security@iluuna.com with a description of the vulnerability and steps to reproduce it.

Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it. We will acknowledge your report within 48 hours and keep you informed of our progress.

We are grateful to security researchers who help make Iluuna safer.