Security Overview.
Provided by Funerals & Tech Limited. This Security Overview is a plain-English summary of how we protect your data. It is a transparency resource for users, administrators and compliance teams — it is not a full technical specification. For personal data handling, see our Privacy Policy. For account, feature and subscription terms, see our Terms and Conditions. All policies at fyldit.com/legal.
1. Our Approach
Security is the foundation Fyldit is built on, not a feature added afterwards. We use a zero-knowledge encryption model: your vault content is encrypted on your own device before it reaches our servers. We cannot read, access or decrypt your vault content — even in response to a legal order.
2. Zero-Knowledge Encryption
When you store something in Fyldit, it is encrypted on your own device before it ever leaves. Your passphrase creates the encryption key, and we never receive, see or store that key.
What reaches our servers is already encrypted — the files, their names and their metadata (data describing your files, such as labels and dates). We cannot read any of it, and neither can anyone else without your passphrase. We use strong, industry-standard encryption to protect your data both while it is stored and while it is being transmitted.
3. Vault Recovery
Fyldit offers vault recovery through your Trusted Circle. When you set up your vault, you can designate trusted contacts to each hold a fragment of a recovery key. No single person holds enough to access your vault alone.
If you ever lose your passphrase, your trusted contacts can combine their fragments to help you regain access — without Fyldit ever being involved in the process. The security stays in your hands. Vault Recovery must be set up in advance and is available on paid plans.
4. Authentication and Account Protection
We protect access to your account with modern authentication options and sensible safeguards:
- Email and password, with enforced password strength.
- MFA (Multi-Factor Authentication) — a second step at login, such as a code from an authenticator app.
- Passkeys — a modern, password-free login method that can use your device's fingerprint or face recognition.
- Optional single sign-on through Google.
- Automatic limits on repeated login and verification attempts to protect against brute-force attacks.
5. Infrastructure and Hosting
Fyldit runs on Amazon Web Services (AWS), a leading cloud infrastructure provider. All customer data and documents are hosted exclusively in Sweden. Our other regions are used only for software development and testing and never hold customer data or documents.
| Hosting region | Purpose | Customer data held? |
|---|---|---|
| India | Testing environment only | NO |
| Sweden | Live hosting — application, database and encrypted file storage for customers | YES |
| USA (United States of America) | UAT (User Acceptance Testing) environment only | NO |
Funerals & Tech Limited, which operates Fyldit, remains incorporated in and operated from the Dubai International Financial Centre (DIFC) in the United Arab Emirates (UAE). Our internal systems communicate over private, restricted networks, and access to live systems is limited to authorised personnel only.
6. Audit Logging
Security-relevant events in your vault are logged so that activity can be reviewed if needed. This includes logins, password and security-setting changes, content changes, sharing and permission changes, Trusted Contact management, recovery setup, and Unlock on Death and Unlock on Incapacity events. You can review your own vault audit log within your account at any time.
7. Incident Response
If a security incident occurs, we will:
- Detect and contain the incident as quickly as possible.
- Assess the scope and impact, including whether personal data was affected.
- Notify affected users and the relevant authorities within 72 hours where required by applicable data-protection law.
- Fix the root cause and take steps to prevent it happening again.
To report a security vulnerability, email security@fyldit.com. We will acknowledge your report within three business days and ask that you do not publicly disclose the issue until we have had a reasonable opportunity to address it.
8. Our Service Providers
We work with a small number of trusted providers to run Fyldit. Each is bound by a data-processing agreement and selected for its security track record. Full details are in our Data Processing Agreement at fyldit.com/legal.
| Provider | Role |
|---|---|
| Amazon Web Services (AWS) | Cloud hosting and encrypted storage (customer data hosted in Sweden) |
| Stripe | Payment processing |
| Optional sign-in (authentication) | |
| Microsoft | Website analytics (only with your consent, on public pages) |
9. Regulatory Alignment and Certifications
We align our practices with the data-protection laws that apply to our users:
| Framework / Regulation | Scope |
|---|---|
| UAE PDPL (Personal Data Protection Law) — Federal Decree-Law No. 45 of 2021 | UAE data protection |
| DIFC (Dubai International Financial Centre) Data Protection Law No. 5 of 2020 | DIFC data protection |
| EU GDPR (General Data Protection Regulation) | European Union users |
| UK GDPR and Data Protection Act 2018 | United Kingdom users |
| ISO 27001 (information security standard) | Actively working toward certification — not yet achieved |
| SOC 2 (Service Organization Control 2) | Actively working toward certification — not yet achieved |
10. Data Portability and Deletion
- Export: you can download your data at any time from within Fyldit.
- Account deletion: when your plan ends, you have 30 days to download your content. After that, data is deleted from active systems.
- Legal holds: data subject to a legal hold is kept until the hold is released.
11. Your Responsibilities
No online service is completely risk-free. To protect your vault:
- Keep your passphrase and login details safe — we cannot recover them for you.
- Enable MFA (Multi-Factor Authentication) or passkeys — strongly recommended.
- Set up Vault Recovery with trusted contacts before you need it.
- Share documents only with people you trust.
- Never share your password, one-time codes or recovery information with anyone.
12. Contact
| Query type | Contact |
|---|---|
| Security reports and vulnerability disclosures | security@fyldit.com |
| Privacy enquiries | privacy@fyldit.com |
| General support | support@fyldit.com |