Your data is encrypted in transit and at rest, only shared with the family members you invite, and never used to train AI. We are actively working toward SOC 2 Type 2 certification.
Last Updated: May 18, 2026
Families share things with us they wouldn’t share with anyone else: end-of-life wishes, estate planning notes, stories about people they’ve lost. We treat that as a duty, not a feature. Every product decision starts from a simple question: if this were my family’s information, would I trust the way it’s being handled?
This page explains, in plain English, how we protect that information today and where we’re investing next.
BestFarewell is built around the idea that a family is a group of people with different roles and different levels of access. You decide who joins your family, what role they have, and what they can see. Sensitive items like wills, trusts, beneficiary details, and advance directives are scoped to the family they belong to and the people you’ve invited into it.
Our database enforces these boundaries with row-level security policies, so access decisions are made by the database itself rather than relying on application code alone. Even if a piece of our application were misconfigured, the data layer would still refuse requests it isn’t authorized to serve.
When you upload a will, trust, insurance policy, photograph, voice recording, or any other file, it’s stored in Supabase Storage with object-level access policies that match your family’s permissions. Files are encrypted at rest with AES-256, the same standard used by major financial institutions.
Uploaded documents are not indexed by search engines, are not shared with other BestFarewell users, and are not used to train any AI model, ours or anyone else’s.
If you delete a document, it’s removed from active storage. Backup copies cycle out on a regular schedule.
By default, your family’s information is visible only to the people you’ve invited and the roles you’ve given them. We don’t share family data with advertisers, data brokers, or partners.
BestFarewell staff access to customer data is limited to a small number of engineers, requires a documented support reason (such as a ticket you’ve opened), and is logged. We don’t browse customer accounts for fun or curiosity, and we don’t train models on your content.
If a court order or other legal process compels disclosure, we push back where appropriate, narrow the scope where we can, and notify the affected user unless we’re prohibited from doing so.
Every connection between your device and BestFarewell uses TLS 1.2 or higher. In practical terms, anything that travels between your browser or phone and our servers is scrambled in a way that an attacker on the same network cannot read.
Once your data reaches our servers, it’s stored with AES-256 encryption. If a hard drive in a data center were somehow removed, the data on it would be unreadable without the encryption keys, which are managed separately by our infrastructure provider.
We use Stripe to process every payment. When you enter a card, that information goes directly to Stripe through a secure form. BestFarewell never sees your full card number, expiration date, or CVC, and we don’t store them on our servers.
Stripe is certified to PCI DSS Service Provider Level 1, the highest level of payment-card security certification, and is SOC 2 Type 2 audited. If you want the full detail, Stripe publishes its security practices at stripe.com/docs/security.
Account sign-in is handled by Supabase Auth, which is SOC 2 Type 2 certified. Passwords are hashed using industry-standard algorithms; we never see your password in plain text. Sessions are short-lived and signed, and you can sign out of all devices from your account settings at any time.
If you suspect your account has been accessed without your permission, contact us immediately at security@bestfarewell.com.
Wherever sensitive data lives, we work with vendors that hold SOC 2 or equivalent certifications and that we’ve reviewed for their security posture.
We review each vendor’s security posture before onboarding and re-review on a regular cadence.
BestFarewell collaborates with independent cybersecurity engineers on vulnerability assessments and penetration testing. If you’re a security researcher and you believe you’ve found an issue, we want to hear about it.
Please report findings to security@bestfarewell.com with steps to reproduce, the affected URL or endpoint, and any supporting detail. We’ll acknowledge your report within two business days and keep you updated as we investigate.
We will not pursue legal action against good-faith security research that respects user privacy, avoids data exfiltration, and gives us a reasonable window to fix issues before public disclosure. We don’t yet run a formal bug bounty program, but we credit researchers in our changelog with permission.
We keep your data for as long as your account is active so that your family’s information is there when you or your loved ones need it. You can update or delete content at any time from inside the app.
If you delete your account, we delete personal data within 30 days, with limited retention only for legal, tax, or fraud- prevention obligations. You can request a copy of your data or ask questions about retention at any time by emailing privacy@bestfarewell.com.
We are actively working toward SOC 2 Type 2 certification. We are not yet certified, and we won’t claim that we are. What we have done is adopt the controls the audit will measure us against: documented access reviews, vendor security reviews, encryption standards, change-management practices, and a written incident response plan.
We’ll update this page when our audit window opens and again when certification is issued. If you’re evaluating BestFarewell for an organization that needs a vendor security questionnaire today, write to security@bestfarewell.com and we’ll share what we have.
If you spot something that looks wrong, or if you’re worried about the security of your account, email security@bestfarewell.com. We aim to acknowledge every report within two business days. For urgent issues (active account compromise, exposed credentials), flag the email subject as URGENT so it routes immediately.
For non-security questions, our general support inbox is hello@bestfarewell.com.
For the full detail on how we collect and handle personal information, see our Privacy Policy. For the terms that govern your use of BestFarewell, see our Terms of Service.