Security

We treat digital legacies with the same care as physical ones.

API key authentication

SHA-256 hashed API keys, shown once at creation. Per-key rate limiting.

Encryption at rest

Death certificates and sensitive data encrypted using AES-256.

Webhook signatures

HMAC-SHA256 signatures verify every webhook originates from NEXTKIN.

Audit logs

Immutable, append-only audit trails for all API calls and admin actions.

Data isolation

Row-level security (RLS) ensures platform data never leaks between tenants.

Compliance

GDPR and CCPA aligned. SOC 2 Type II audit in progress.

Responsible disclosure

We take security seriously. If you discover a vulnerability, please disclose it responsibly to security@nextkin.dev. We commit to acknowledging reports within 48 hours.