Security Overview.

Provided by Funerals & Tech Limited. This Security Overview is a plain-English summary of how we protect your data. It is a transparency resource for users, administrators and compliance teams — it is not a full technical specification. For personal data handling, see our Privacy Policy. For account, feature and subscription terms, see our Terms and Conditions. All policies at fyldit.com/legal.

This Security Overview is a plain-English summary of how we protect your data. It is a transparency resource for users, administrators and compliance teams — it is not a full technical specification. For personal data handling, see our Privacy Policy. For account, feature and subscription terms, see our Terms & Conditions. All policies at fyldit.com/legal.

1. Our Approach

Security is the foundation Fyldit is built on, not a feature added afterwards. We use a zero-knowledge encryption model: your vault content is encrypted on your own device before it reaches our servers. We cannot read, access or decrypt your vault content — even in response to a legal order.

2. Zero-Knowledge Encryption

When you store something in Fyldit, it is encrypted on your own device before it ever leaves. Your passphrase creates the encryption key, and we never receive, see or store that key.

What reaches our servers is already encrypted — the files, their names and their metadata (data describing your files, such as labels and dates). We cannot read any of it, and neither can anyone else without your passphrase. We use strong, industry-standard encryption to protect your data both while it is stored and while it is being transmitted.

Important: losing your passphrase means losing access to your vault. There is no back door. This is what zero-knowledge means. Set up Vault Recovery with trusted contacts to protect against this.

3. Vault Recovery

Fyldit offers vault recovery through your Trusted Circle. When you set up your vault, you can designate trusted contacts to each hold a fragment of a recovery key. No single person holds enough to access your vault alone.

If you ever lose your passphrase, your trusted contacts can combine their fragments to help you regain access — without Fyldit ever being involved in the process. The security stays in your hands. Vault Recovery must be set up in advance and is available on paid plans.

4. Authentication and Account Protection

We protect access to your account with modern authentication options and sensible safeguards:

  • Email and password, with enforced password strength.
  • MFA (Multi-Factor Authentication) — a second step at login, such as a code from an authenticator app.
  • Passkeys — a modern, password-free login method that can use your device's fingerprint or face recognition.
  • Optional single sign-on through Google.
  • Automatic limits on repeated login and verification attempts to protect against brute-force attacks.

5. Infrastructure and Hosting

Fyldit runs on Amazon Web Services (AWS), a leading cloud infrastructure provider. All customer data and documents are hosted exclusively in Sweden. Our other regions are used only for software development and testing and never hold customer data or documents.

Hosting regionPurposeCustomer data held?
IndiaTesting environment onlyNO
SwedenLive hosting — application, database and encrypted file storage for customersYES
USA (United States of America)UAT (User Acceptance Testing) environment onlyNO

Funerals & Tech Limited, which operates Fyldit, remains incorporated in and operated from the Dubai International Financial Centre (DIFC) in the United Arab Emirates (UAE). Our internal systems communicate over private, restricted networks, and access to live systems is limited to authorised personnel only.

6. Audit Logging

Security-relevant events in your vault are logged so that activity can be reviewed if needed. This includes logins, password and security-setting changes, content changes, sharing and permission changes, Trusted Contact management, recovery setup, and Unlock on Death and Unlock on Incapacity events. You can review your own vault audit log within your account at any time.

7. Incident Response

If a security incident occurs, we will:

  • Detect and contain the incident as quickly as possible.
  • Assess the scope and impact, including whether personal data was affected.
  • Notify affected users and the relevant authorities within 72 hours where required by applicable data-protection law.
  • Fix the root cause and take steps to prevent it happening again.

To report a security vulnerability, email security@fyldit.com. We will acknowledge your report within three business days and ask that you do not publicly disclose the issue until we have had a reasonable opportunity to address it.

8. Our Service Providers

We work with a small number of trusted providers to run Fyldit. Each is bound by a data-processing agreement and selected for its security track record. Full details are in our Data Processing Agreement at fyldit.com/legal.

ProviderRole
Amazon Web Services (AWS)Cloud hosting and encrypted storage (customer data hosted in Sweden)
StripePayment processing
GoogleOptional sign-in (authentication)
MicrosoftWebsite analytics (only with your consent, on public pages)

9. Regulatory Alignment and Certifications

We align our practices with the data-protection laws that apply to our users:

Framework / RegulationScope
UAE PDPL (Personal Data Protection Law) — Federal Decree-Law No. 45 of 2021UAE data protection
DIFC (Dubai International Financial Centre) Data Protection Law No. 5 of 2020DIFC data protection
EU GDPR (General Data Protection Regulation)European Union users
UK GDPR and Data Protection Act 2018United Kingdom users
ISO 27001 (information security standard)Actively working toward certification — not yet achieved
SOC 2 (Service Organization Control 2)Actively working toward certification — not yet achieved
Fyldit is actively working toward ISO 27001 and SOC 2 certification. We will update this page as those milestones are achieved. In the meantime, our zero-knowledge design means that even without those certificates, we cannot access your data — by design.

10. Data Portability and Deletion

  • Export: you can download your data at any time from within Fyldit.
  • Account deletion: when your plan ends, you have 30 days to download your content. After that, data is deleted from active systems.
  • Legal holds: data subject to a legal hold is kept until the hold is released.

11. Your Responsibilities

No online service is completely risk-free. To protect your vault:

  • Keep your passphrase and login details safe — we cannot recover them for you.
  • Enable MFA (Multi-Factor Authentication) or passkeys — strongly recommended.
  • Set up Vault Recovery with trusted contacts before you need it.
  • Share documents only with people you trust.
  • Never share your password, one-time codes or recovery information with anyone.

12. Contact

Query typeContact
Security reports and vulnerability disclosuressecurity@fyldit.com
Privacy enquiriesprivacy@fyldit.com
General supportsupport@fyldit.com