Security That Earns Your Trust
Your digital life plan is only as good as the security protecting it. Here is exactly how Constellation keeps your information safe.
Security Principles
How We Protect Your Data
Privacy-First Architecture
We collect only what's necessary. Your sensitive data is encrypted before it leaves your device. We cannot read your vault contents — even our own engineers see only ciphertext.
- Minimum data collection by design
- Document vault contents encrypted client-side before upload
- Zero-knowledge design — we cannot access your encrypted data
- No advertising, no data mining, no third-party data sharing
- Email discovery reads metadata only — never message content
Encrypted Storage
All sensitive items are encrypted at rest using AES-256-GCM with unique per-item data keys. Master keys use envelope encryption — a compromise of one item cannot expose any other.
- AES-256-GCM per-item encryption
- Unique data key generated for every vault item
- Envelope encryption wraps data keys with a master key
- Ciphertext only stored at rest — plaintext never persisted
- All data in transit protected by TLS 1.3
Strict Access Controls
All API routes require authentication via Clerk, an enterprise-grade identity provider. Service accounts follow the principle of least privilege. Database-level row-level security (RLS) ensures users can only query their own data.
- Principle of least privilege for all service accounts
- Every API route requires authenticated session
- Identity managed by Clerk — passwords never stored by us
- Row-level security (RLS) enforced at the database layer
- Subscription and role checks enforced in middleware
- Open-redirect protection on all login flows
Audit Logging
Every significant action is recorded with timestamps in an immutable audit log. You can export your complete audit trail as CSV or PDF at any time. Nothing happens silently.
- Every action timestamped and attributed
- Full exportable audit trail (CSV and PDF)
- Login, inventory, vault, and access-request events recorded
- Inventory change history with before/after state
- Firm-mode audit events for B2B portal activity
Technical Specifications
Cryptographic Standards
Constellation uses industry-standard cryptographic primitives. Each vault item is encrypted with a unique data key, which is itself wrapped with a master key using envelope encryption — meaning a compromise of one item does not expose any other.
Our Commitment
We Never Sell Your Data
Constellation is a subscription product. Your data is not our product. We do not sell, analyze for marketing purposes, or share your personal information with third parties.
No Advertising
We do not show ads or sell your attention.
No Data Mining
Your data is never analyzed for marketing.
No Third-Party Sharing
We never sell your personal information.
Security FAQ
Common Questions
Who can see my vault contents?
Only you. Document vault contents are encrypted with AES-256-GCM using keys derived from your account. Even Constellation's own engineers cannot read your vault data — we only ever store ciphertext. Each vault item has its own unique encryption key, so compromising one item does not expose any other.
Does Constellation read my emails?
No. Email discovery reads metadata only — sender domains, subject-line patterns that indicate account relationships, and timestamps. We never read message bodies, download attachments, or store email content. For Apple Mail connections, app-specific passwords are used ephemerally and never stored in our database.
Can my executor access everything immediately?
No. Access is controlled by your Activation. You define when and how access is granted, including a configurable grace period (typically 7–14 days) where you can override or cancel any request. Your executor must submit a formal access request, and you are notified by email at every step.
What happens to my data if I cancel?
You can export your complete data at any time from your Account settings (CSV and PDF formats). On cancellation, your data is retained for 30 days before permanent deletion per our data retention policy. Document vault contents are cryptographically destroyed — encrypted data without its key is unrecoverable.
How is authentication handled?
Constellation delegates all authentication to Clerk, an enterprise-grade identity provider trusted by thousands of companies. We never store or handle your password directly. Clerk supports multi-factor authentication (TOTP), social login providers, and secure session management. Sessions are validated on every API request via signed JWTs.
Is my data isolated from other users?
Yes. Row-level security (RLS) policies are enforced at the database layer in Supabase. Even if application-level code had a bug, the database itself prevents any user from querying another user's data. API routes additionally verify your authenticated user ID before any data operation.
What security headers does Constellation use?
Every response includes X-Content-Type-Options (nosniff), X-Frame-Options (DENY to prevent clickjacking), strict Referrer-Policy, Content-Security-Policy, Permissions-Policy (camera, microphone, and geolocation disabled), and Cache-Control (no-store) on all authenticated pages. A unique X-Request-Id is attached to every request for audit correlation.
Your security is our priority.
Start protecting your digital life with the confidence that your data is safe.