Security Whitepaper

1. Executive Summary

This Security Whitepaper describes the security safeguards Afterword puts in place to protect you and your data.

Afterword is a suite of products that helps families make important decisions after a loved one dies. Our products are used during private moments and sensitive times. As such, our engineering culture stresses the importance of privacy and security at every step in our development process. From architecture discussions to design documents, code reviews to deployments, we search for and mitigate security concerns. Below are the core methods with which we safeguard our platform:

Infrastructure & Physical Security. Afterword products run on Google’s infrastructure in their secured data centers. Google’s Cloud includes active monitoring, total system logging, and security best practices & compliance controls. More information on the security features of Google’s Cloud can be found in their security whitepaper.

Encryption & Access Control. Data are encrypted at rest and in-transit using AES 256 and HTTPS/TLS, respectively. Each User’s dataset is logically separated with multi-level permissions at the application level. User Authentication and service integrations utilize OAuth2 where available.

Application and Operational Security. All Afterword employees use two-factor authentication for all credentials relating to the product. We base many application decisions on OWASP guidelines; for example, sessions are securely managed via encrypted cookies and include XSRF protection. No sensitive data are exposed and no data can be injected unless a User is appropriately authenticated.

2. Security & Culture

Afterword has created a vibrant and inclusive security culture for all employees. The influence of this culture is apparent during the hiring process, employee onboarding, and as part of ongoing training.

2.1. Employee Background Checks

Before they join our staff, Afterword will verify an individual’s education and previous employment, and perform internal and external reference checks. Where local labor law or statutory regulations permit, Afterword may also conduct criminal, credit, immigration, and security checks. The extent of these background checks is dependent on the desired position.

2.2. Security training and Acceptable Use

All Afterword employees undergo security training as part of the orientation process and receive annual security training throughout their careers at Afterword. New employees must agree to our Code of Conduct, which emphasizes our commitment to keep customer information safe and secure. Depending on their job role, additional training on specific aspects of security may be required. Afterword Engineering’s dedicated security and privacy leads share best practices and manage continued security education.

3. Data Security

3.1. Encryption & Privacy

Data are encrypted both at rest and in-transit using AES 256 and HTTPS/TLS, respectively.

Afterword will not share your data with third parties unless you’ve given explicit approval. For more information, see our privacy policy.

3.2. Administrative Access

To keep data private and secure, Afterword logically separates customer data from that of other customers, even when it’s stored on the same physical server. Only a small group of Afterword employees have access to customer data, which when used is logged and audited periodically. Access rights are reviewed quarterly. These access rights and levels are based on their job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. No root credentials are shared between employees. All Afterword employees use two-factor authentication for product credentials.

4. Infrastructure Security

Afterword products run on Google’s state-of-the-art data centers. Google’s Cloud includes active monitoring, total system logging, and security best practices & compliance controls. They include all industry-best safeguards and more—you can read about Google’s Data Centers here.

4.1. Backups & Disaster Recovery

We perform regular backups to ensure data are safe from media failure or other catastrophic events. Afterword tests these backups regularly to improve performance during possible incidents.

5. Application Security

Afterword bases many application decisions on the OWASP guidelines. For example, sessions are securely managed via encrypted cookies and include XSRF protection. No sensitive data are exposed and no data can be injected unless a User is appropriately authenticated. Before any code is deployed to production, it must pass all automated security tests, peer security code reviews, and QA approvals.

5.1. Access Control

Currently, Afterword is accessible as a web app only. Users may access parts of Afterword’s suite of products without a login account. When handling sensitive, confidential, or personal data, users access Afterword using their accounts via standard OAuth2 flows or “magic-link” login passkeys.

5.2. Vulnerability Management

Afterword administers a vulnerability management process that actively scans for security threats using commercially available, intensive automated and manual penetration efforts, QA processes, software security reviews and external audits. Once a vulnerability requiring remediation has been identified, it is logged, prioritized according to severity, and assigned an owner. The Engineering team tracks such issues and ensures they are remediated in a timely manner.

5.3. Monitoring

Afterword automatically monitors and manually inspects traffic for suspicious behavior. The analysis is performed using commercial and open-source tools. In addition, Afterword’s Security leads subscribe to industry- and technology-specific listservs on security & risk mitigation.

5.4. Incident Management

If an incident occurs, the security team logs and prioritizes it according to its severity. Events that directly impact customers are assigned the highest priority. This process specifies courses of action, notification procedures, escalation, and mitigation. If an incident involves customer data, Afterword will inform the customer and support investigative efforts via our support team.

6. Certifications

Afterword runs on world-class infrastructure provided by Google’s Cloud Platform. Google has a comprehensive set of annual audits, including: Safe Harbor, SSAE 16 / ISAE 3402 Type II (SOC 2 & SOC 3), ISO 27001, PCI DSS v3.0, and FISMA Moderate accreditation.