Security Overview

Introduction

At WishesKept, we take the security and privacy of your data very seriously. We fully understand the trust you are giving us to store your personal information. That trust is based upon us keeping that data both private and secure. The information on this page is intended to provide transparency about how we protect that data. We will continue to expand and update this information as we add new security capabilities and make security improvements to our products.

Encryption


Not only does WishesKept use Bank Level SSL Certificates, we also use AES-256 encryption to store your data in transit and while at rest.

AES-256 is an additional level of encryption, and is considered to be “military grade”. Short for Advanced Encryption Standard, it was the first cipher approved by the National Security Agency (NSA) to protect information at a “Top Secret” level. It is now widely-accepted as the strongest encryption there is – and used by governments, the military, banks and other organizations across the world to protect sensitive data.

To fully appreciate the strength of this encryption, a Microsoft paper published in 2011 suggested that breaking a 128-bit key (far less complex than an AES 256-bit key) would take billions of years with current computing power – and require storing about 38 trillion terabytes of data, which is more than all the data on all the computers on the planet.

Product Security

Securing our Internet-facing web service is critically important to protecting your data. Our software team drives an application security program to improve code security hygiene and constantly check our service for common application security issues including: CSRF, injection attacks (XSS, SQLi), session management, URL redirection, and clickjacking.

We have gone beyond the norm and have embedded additional privacy measures directly into the design and architecture of our application. We encrypt every field that personally identifies you, your accounts and your passwords. As a result, your personal data stays encrypted and protected at all times. We have taken additional steps to ensure that even our software developers and support staff are unable to view your data.

We never receive a copy of your password or encryption key and don’t use any escrow mechanism to recover your encrypted data. This means that if you forget your password, we cannot recover your data.

Password Security

WishesKept never stores your password in plaintext. When we need to securely store your account password to authenticate you, we use PBKDF2 (Password Based Key Derivation Function 2) with a unique salt for each credential. We select the number of hashing iterations in a way that strikes a balance between user experience and password cracking complexity.

We protect you further by requiring passwords of at least 8 characters. We maintain a list of the 10,000 top passwords and wont allow you to select a password that appears in this list.


Network Security

WishesKept defines its network boundaries using a combination of load balancers, firewalls, and VPNs. We use these to control which services we expose to the Internet and to segment our production network from the rest of our computing infrastructure. We limit who has access to our production infrastructure based on business need and strongly authenticate that access.

Our application is a closed platform. We do not allow any third party service access to the servers. We do not offer an API and only use internal up-time monitoring services provided by our data center.

Our data center employs intrusion detection, distributed denial-of-service (DDoS) attack prevention, penetration testing, data analytics, and machine learning to constantly strengthen its defense and security of your data.

Dedicated Network Security Team

Security is a dedicated team within our data storage centers. Our security team’s charter is protecting the data you store in our service. A dedicated team of security experts simulate real-world attacks at the network, platform, and application layers. The result is continual improvement in the ways the servers can detect and protect against security breaches.

Resiliency and Availability

We only utilize Microsoft Azure and Amazon S3 servers. Microsoft Azure guarantee at least 99.9% availability, and Amazon S3 guarantee 99.99% up-time and availability.

We operate a fault tolerant system and network architecture to ensure that WishesKept is there when you need it, wherever you may be. This includes:

  • Diverse and redundant Internet connections.
  • Redundant network infrastructure including switches, routers, load balancers, and firewalls.
  • Scalable system architecture built using a large number of independently operating shards, each servicing a small slice of our user base.
  • Shards architected as pairs of redundant servers, providing hot standby capabilities should a single server fail.
  • Servers engineered with redundant power, redundant network hardware, and storage deployed in a RAID configuration.

Our data center provides fault tolerant facility services including: power, HVAC, and fire suppression.

Report a security issue

If you believe you’ve found a security vulnerability in a WishesKept application, the WishesKept platform, or our infrastructure that could harm WishesKept or anyone who uses WishesKept, please let us know by e-mailing details of your finding to security@wisheskept.com.

Please remember our User Guidelines and don’t violate anyone’s privacy, interfere with anyone’s account, or destroy any data. Please don’t interrupt or degrade our services. And please give us a reasonable amount of time to respond before publicly disclosing your findings.

If you’d like to encrypt or sign your communications with us, please use our PGP/GPG public key

Customer Security Tips

Use a different password on WishesKept than any other site you log into. That way, if someone learns your password on another site, you won’t have to worry about them also being able to access your WishesKept account.

Avoid using simple passwords that could be looked up in a dictionary. Instead, choose a complex password that is at least 8 characters long and contains a mix of uppercase and lowercase letters, numbers, and special characters. Equally good is picking a phrase that is at least 20 characters long.

A password manager can make both of these easy to do. We suggest using the 1Password or LastPass applications.

Final Note

If you are not comfortable storing some of your data in our highly secure application, you can still provide your loved ones with significant benefits and peace of mind by using our offline storage mode.

You will find that most of the questions in WishesKept that ask for personal information, account details or passwords, also give you and option to keep your data offline and to explain where the document or data is physically stored, and how it can be accessed if it is needed.

For example, instead of uploading a scan of your mortgage documents, you can utilize the field that asks where the original document is kept. Instead of storing your passwords, you can use a dedicated password tool like "1Password" or "LastPass" and record your master password in a safe place offline or make a note of a loved one that has the master key.

It is important to remember that if anything happens to you, your loved ones will need a place to start. WishesKept can give them the gift of knowledge, while still allowing you the privacy and piece of mind you need.

Are you ready to get started?

Start Your Free Trial Now !