How we protect your vault
You are trusting us with sensitive details. Here is what AscenVent protects today, and what is still on the roadmap.
The plain-English version: your saved wizard answers are encrypted with AES-256-GCM before they are written to the database, the encryption key stays on the server, documents live in private owner-scoped storage, and Postgres row-level security isolates user data. We are explicit about what version 1 does and what it does not yet do.
Current security posture
Application-layer encryption
Wizard answers are encrypted server-side with AES-256-GCM before they are written to the encrypted answers field. The browser never receives the encryption key. Legacy plaintext answer data is scrubbed to an empty object on save.
Data in transit
Production traffic is served over HTTPS/TLS. Sensitive encryption and export work runs on the server, not in browser code that would expose server secrets.
Row-level isolation
Profiles and document metadata are protected by Postgres row-level security policies scoped to the authenticated user. A normal user session can select, update, or delete only its own profile and document records.
Private document storage
Uploaded files live in a private vault bucket. Storage policies require the first path segment to match the authenticated user's ID, so files are owner-scoped and are not served through public URLs.
Encrypted exports
Portfolio exports can be generated as encrypted PDF packages. When you choose a password-protected export, the PDF is encrypted with AES-256.
What we store and what we do not
We are deliberate about what we ask for, because the safest data is data we never had.
| Category | What we store | What we do not store |
|---|---|---|
| Bank and investment accounts | Institution name, account type, beneficiary notes, and limited identifying details. | Online banking credentials, full passwords, or seed phrases. |
| Insurance policies | Carrier name, policy type, beneficiary names, and planning notes. | Claim portal credentials or passwords. |
| Physical security | A pointer to where combinations and access codes are kept. | Safe combinations, gate codes, or alarm codes themselves. |
| Crypto and digital assets | Which exchanges or wallets you use and where recovery material is kept. | Seed phrases, private keys, or wallet passwords. |
| Password manager | Which password manager you use and where emergency access is set up. | Master passwords or master recovery keys. |
| Documents | Uploaded copies of documents you choose to place in the vault. | Original legal documents unless you upload a copy yourself. |
Access controls
The product does not expose a staff-facing vault browser. Production access should be limited to documented operational need, and highly sensitive work should happen through narrow server-side paths rather than broad client-side access. We use environment-held server secrets for encryption and administrative operations.
If you believe your account has been accessed without authorization, contact hello@ascenvent.co immediately.
Beneficiary verification
AscenVent is designed around named beneficiaries, designated roles, tiered release settings, and review requirements. Before sensitive content releases, the release path is expected to require verification aligned to the tier and plan you configured.
No verification system is perfect. The strongest protection is keeping your named people, contact details, and review preferences current.
Incident response
We maintain a breach-response policy for security incidents that affect user data. If an incident affects your data, we will notify affected users within 72 hours of confirming the scope, tell you what data was affected, explain what we are doing to fix it, and make legally required notifications.
Read the full Breach Policy.
Roadmap, not current claims
The following protections are planned or under evaluation, but are not claimed as completed version 1 controls:
- Formal SOC 2 examination.
- Zero-knowledge architecture for the highest-sensitivity fields.
- Cloud KMS or HSM-backed key management.
- Recurring independent penetration testing.
We will update this page when those milestones are actually reached.
Responsible disclosure
If you discover a security vulnerability, please disclose it responsibly to hello@ascenvent.co with the subject line "Security Disclosure." Include a description, steps to reproduce it, and what data or systems you believe could be affected.
We will investigate in good faith and will not pursue legal action against a good-faith reporter.