Security & Compliance

Built to hold
the most sensitive
data there is.

We hold wills, financial accounts, passwords, and final messages. Here is exactly how we protect them — and what that means for your care home.

Core Standards

Security that meets
financial-grade requirements.

Encryption
AES-256
All vault contents encrypted at rest

Every document, message, and credential is encrypted using AES-256-GCM before it is stored — the same standard used by banks and intelligence agencies. Unencrypted data never rests on our servers.

Compliance
GDPR
UK GDPR compliant throughout

Data Processing Agreements provided for all partner care homes. All data stored in UK data centres (AWS London, eu-west-2). Article 28 compliant as a data processor. Your DPA is available before you sign anything.

Access
Scoped
Executors receive secure, scoped access

Family and executor access is read-only, time-limited, and scoped to exactly what they need — nothing more. Every access is logged with a timestamp and identity. Nothing is shared without consent.

Uptime
99.9%
SLA-backed availability

The vault must be there when it matters most — the moment a family needs it. SLA-backed uptime with automated monitoring, instant alerting, and dedicated operations support.

Technical Standards

How the security
is built.

🔐
Encryption at rest

AES-256-GCM encryption applied before data is written to the database. Vault contents cannot be read even with direct database access.

🔗
Encryption in transit

TLS 1.2+ enforced on all endpoints. HTTPS redirect on all HTTP requests. HTTP Strict Transport Security (HSTS) headers active sitewide.

🛡️
Row-level data isolation

Database Row Level Security (RLS) enforced at the database engine level — not the application. Each record is accessible only to its owner session.

📋
Audit logging

Every vault access — by family, executor, or staff — is logged with a timestamp, identity, and IP. Full audit trail available to care home partners.

🔑
Zero-knowledge credentials

Stored credentials are encrypted on the client before transmission. Memoari staff with full database access cannot read stored passwords.

⏱️
Time-limited access tokens

Executor access tokens are single-use, cryptographically random, and automatically expire. Links cannot be reused or shared beyond their scope.

For Care Homes

What security means
for your home.

As a care home partner, you receive a Data Processing Agreement, full audit trail access, and a security briefing before your pilot begins. Your residents' data is held under your partnership agreement — not pooled with consumer accounts.

  • Data Processing Agreement (DPA) provided before pilot launch
  • Staff see only completion status — never vault contents
  • All resident data stored in UK data centres — AWS London (eu-west-2)
  • CQC-ready documentation stored and auditable at all times
  • Security briefing included in all pilot onboarding sessions
Book a Pilot Call →
Questions

Common security
questions.

Can Memoari staff read vault contents?
No. Vault contents are encrypted before storage. Our staff can see account metadata (plan status, timestamps, completion rates) but vault contents are inaccessible to anyone without the resident or family's credentials.
Can your care home staff see what is in a resident's vault?
No. The staff dashboard shows only completion status — whether a resident has a will on file, designated contacts, and a completed vault. The actual contents are always private. This removes GDPR complexity and safeguarding risk.
What happens to data if Memoari is acquired?
Any acquisition agreement would require the acquirer to maintain all existing security and privacy commitments. All partner care homes and residents would be notified and given the option to export and delete their data before any transfer occurs.
Where is resident data stored geographically?
All data is stored in UK data centres (AWS London, eu-west-2). We do not transfer personal data outside the UK or EU without appropriate safeguards. This is documented in the Data Processing Agreement provided to all partner care homes.
Has Memoari experienced a security breach?
We have not experienced a security breach affecting user data. In the event of any future breach, we would notify all affected partners and residents within 72 hours as required by UK GDPR, with clear guidance on immediate steps.
🔍
Responsible Disclosure

Found a vulnerability?

If you discover a security vulnerability in Memoari, please report it responsibly. We take all reports seriously and aim to respond within 48 hours. Please do not publicly disclose vulnerabilities before we have had a chance to investigate.

security@memoari.co.uk
Get Started

Ready to protect
your residents' estates?

A 20-minute pilot call. No obligation. We will walk you through exactly how the security model works for your care home.

Book a Pilot Call →