Security & Privacy

Your family's memories deserve fortress-level protection.

We treat your family's data the way you'd treat a physical safe โ€” locked, encrypted, and accessible only to those you trust.

Defense in depth

Multiple layers of protection

๐Ÿ”

End-to-end encryption

All files are encrypted using AES-256 before leaving your device. Your family's photos, videos, and documents are unreadable to anyone โ€” including us โ€” without your encryption keys.

AES-256 ยท TLS 1.3 in transit
๐Ÿ—„

AWS S3 secure storage

Files are stored on Amazon S3 with server-side encryption enabled by default. Redundant across multiple geographic regions, so your data survives hardware failures.

SSE-S3 ยท Multi-region redundancy
๐Ÿ”‘

Presigned URL access

Files never pass through our servers. When you upload or download, your device communicates directly with S3 via time-limited presigned URLs that expire in minutes.

Zero-knowledge file transfer
๐Ÿ‘ค

Invite-only family vaults

Every vault is private by default. Only members with a valid invite link can join. Admins control exactly who has access and what they can do.

Role-based access control
๐Ÿ”

Audit logging

Every document download, member change, and admin action is logged. Admins can review who accessed what and when โ€” critical for sensitive heirloom documents.

Immutable access log ยท Admin visible
๐Ÿ›ก

Stripe-secured payments

Payment data never touches our servers. All billing is handled by Stripe, which is PCI DSS Level 1 certified โ€” the highest standard for card data security.

PCI DSS Level 1 ยท No card data stored
How your data flows

Files never touch our servers

๐Ÿ“ฑ
Your device
Encrypts file locally
Presigned URL
(expires in 5 min)
โ†’
๐Ÿ—„
AWS S3
AES-256 at rest

Our servers only handle metadata (file names, timestamps, family relationships). The actual content โ€” your photos, videos, and documents โ€” goes directly to encrypted storage.

Compliance

Built to meet global standards

GDPR

Right to access, correct, and delete your data. Data stored in compliant regions.

CCPA

California residents can request data deletion and opt out of any data sharing.

SOC 2

SOC 2 Type II audit in progress. Expected completion 2026.

COPPA

Child member accounts require admin (parent/guardian) approval and oversight.

Found a security issue?

We take security reports seriously. If you discover a vulnerability, please reach out directly before disclosing publicly. We'll respond within 24 hours.

security@progenyhub.com