Security Policy

Last Updated: April 26, 2026

The Estate Executor Tracker handles sensitive legal documents — death certificates, wills, financial records, and estate inventories. We take the security of these documents seriously. This page describes the security measures built into the Service.

No Passwords

The Service uses magic-link authentication. There are no passwords to create, remember, steal, or guess. When you access the Service, you enter your email address and receive a secure, one-time login link. This eliminates the entire category of password-based attacks — including credential stuffing, brute force, and password spraying.

Encryption in Transit

All data transmitted between your browser and the Service is encrypted using HTTPS (TLS). Magic links, document uploads, and all page requests are encrypted in transit. The Service does not accept unencrypted HTTP connections.

Document Security

Every uploaded document is protected by multiple layers:

File validation: Every upload is verified by checking the actual file content (magic bytes), not just the filename extension. Only PDF, JPEG, and PNG files are accepted.
Chain of custody: Every upload is recorded with a SHA-256 cryptographic hash, the uploader's IP address, and a UTC timestamp. This provides forensic verification if a document's authenticity is ever questioned.
Access control: Documents are accessible only to the attorney who owns the case and the executor linked to that case. One attorney cannot access another attorney's documents under any circumstances.
Download authorization: Every document download requires a time-limited signed token, verified against the requesting user's session and case ownership. Five sequential authorization checks must pass before any document is served.

Session Security

Attorney sessions are protected with:

HttpOnly cookies (cannot be read by JavaScript)
Secure flag (transmitted only over HTTPS)
SameSite=Lax (prevents cross-site request forgery on top-level navigations; Lax rather than Strict is required so magic-link clicks from email clients work correctly)
7-day session lifetime (automatic expiry)

Executor Session Security

Executor access is controlled by two additional mechanisms that do not apply to attorney sessions:

Single-session nonce enforcement: Each executor checklist is tied to a single active browser session at a time. When the executor opens the checklist on a new device or browser, the prior session is automatically invalidated. This prevents concurrent access to the checklist from multiple devices — even if the magic link URL is known to another person.
30-minute inactivity timeout: If the executor leaves the checklist open without interaction for 30 minutes, a full-page overlay appears and a 10-second countdown begins. After the countdown, the server clears the session nonce. The executor must then pass a PIN challenge (the last four characters of their email address) to resume. This prevents unattended screen access to estate documents on shared or unattended devices.

Rate Limiting and Bot Protection

The Service limits the number of requests from any single IP address or email address. Automated form submissions are detected and silently neutralized. Login links use 256-bit random tokens — guessing a valid token is computationally infeasible.

Data Protection

All form submissions require unique security tokens (CSRF protection)
All user-supplied text is sanitized before storage to prevent script injection
The application sends strict Content Security Policy headers to all browsers
The application cannot be embedded in other websites (X-Frame-Options: DENY)

Backups

Documents are stored using a dual-write architecture: on the server filesystem and in the PostgreSQL database. If a file is lost from the filesystem, it is automatically restored from the database backup. Nightly off-host backups provide an independent copy stored on separate infrastructure.

Audit Trail

Every significant action — logins, uploads, reviews, rejections, deletions, case closures — is permanently recorded in an append-only audit log. This log cannot be modified or deleted. It serves as the legal chain of custody for every document in every case.

Residual Risks

Two risks exist in this system and in every comparable cloud-hosted legal technology platform:

1. Email account compromise

If an attacker gains control of your email inbox, they could receive login links. We strongly recommend enabling two-factor authentication on your email account.

2. Server-level compromise

If the cloud server were compromised at the operating system level, an attacker with server access could theoretically access data directly. This is mitigated through server hardening, firewall rules, and encrypted backups.

Both risks are mitigated by standard operational practices and are documented transparently.

Contact

Security questions or concerns may be directed to: support@estateexecutortracker.com