Security

Our approach

Mortem AI operates infrastructure that handles sensitive communications between funeral homes and grieving families. We take this responsibility seriously. Our security posture prioritises clear ownership, real defence-in-depth, evidence over claims, and honest communication of where we are in our maturity journey.

We are early in our formal certification journey (we are not yet SOC 2 certified) but operate to a control set comparable to SOC 2 Trust Services Criteria. We publish what we do, what we don't do, and what is in progress. Where a sophisticated buyer wants more detail than this page provides, contact [email protected] and we will provide a security questionnaire response and supporting documentation under NDA.

Vulnerability disclosure programme

Security researchers play an important role in keeping systems safe. We welcome reports of vulnerabilities affecting Mortem AI's Services from researchers acting in good faith.

How to report

Email reports to [email protected] with:

• A clear description of the vulnerability and its potential impact;
• Steps to reproduce, including any URLs, requests, payloads, or proof-of-concept code;
• Your name and contact information (you may request anonymity in any subsequent acknowledgement);
• Whether you intend to publicly disclose and on what timeline.

Our response commitments

• Initial acknowledgement within five (5) business days of receipt;
• Triage and severity assessment within fifteen (15) business days;
• Remediation timeline communicated once severity is confirmed, with reasonable updates as work progresses;
• Coordinated disclosure in good faith with the researcher.

Critical-severity issues are prioritised for immediate triage outside of business hours where the on-call team is available.

Scope and rules of engagement

In scope

• mortemai.com and all subdomains;
• Customer-facing Sarah AI chat widgets deployed on funeral home websites;
• Mortem AI API endpoints;
• Mortem AI's web application (customer dashboard, onboarding portal).

Out of scope

• Third-party platforms we use as sub-processors (report directly to the platform's security team and copy us): OpenAI, Anthropic, GoHighLevel, Twilio, Supabase, Vercel, Render, Doppler, Google Workspace;
• Customer-owned websites hosting Sarah embeds (the funeral home is responsible for its own website security);
• Marketing and analytics tooling (Google Analytics, Microsoft Clarity);
• Social engineering, phishing, or physical-access attempts against Mortem AI personnel or facilities;
• Denial-of-service or volumetric attacks of any kind;
• Findings from automated scanners without manual verification and confirmed impact;
• Self-XSS or attacks requiring victim cooperation;
• Issues that require physical access to a victim's device;
• Reports of theoretical vulnerabilities without demonstrated impact;
• Disclosure of headers (Server, X-Powered-By, etc.) without further demonstrated risk.

Rules of engagement

• Test only with accounts you own or with explicit written permission;
• Do not access, modify, or destroy data that does not belong to you;
• Do not perform any action that could degrade the Services for other users;
• Stop testing and report immediately if you encounter personal data belonging to others;
• Do not publicly disclose a vulnerability until we have had a reasonable opportunity to remediate (typically 90 days from initial report, sooner where remediation is faster).

Safe harbour

We will not pursue civil action, file a criminal complaint, or initiate a complaint to law enforcement against good-faith security researchers who:

• Comply with this policy and the rules of engagement above;
• Avoid privacy violations, destruction of data, and interruption or degradation of the Services;
• Report vulnerabilities promptly and provide a reasonable opportunity to remediate before public disclosure;
• Do not exploit the vulnerability for purposes other than reporting.

To the extent you act outside this policy, we reserve all legal rights. If you are uncertain whether your planned testing is within scope, contact [email protected] before testing.

Infrastructure and architecture

Mortem AI is built on a modern cloud-native stack. The full sub-processor list is published at mortemai.com/subprocessors.

Encryption

• In transit: TLS 1.2 or higher enforced on all endpoints. HTTPS-only on customer-facing surfaces.
• At rest: AES-256 encryption applied across primary database, vector store, file storage, and backups.
• Webhook integrity: Twilio webhook signatures validated server-side. GoHighLevel webhooks validated with shared secrets stored in centralised secrets management.

Access controls

• Multi-factor authentication enforced on every administrative console, including GitHub, Google Workspace, Supabase, Vercel, Render, Doppler, GoHighLevel, OpenAI, Anthropic, Twilio, and the Mortem AI Stripe billing platform.
• Role-based access control with least-privilege principle. Service-account credentials separated from human-user credentials.
• Access Control Register maintained internally, reviewed regularly, and provided on request under NDA to enterprise prospects.
• Credentials managed in a centralised password manager (Bitwarden Teams). Shared credentials in chat, documents, or note-taking apps are prohibited.
• Off-boarding procedures revoke all access promptly upon role change or termination.

Secrets management

Application secrets are centralised in Doppler, with audit logging of every read and write. Production secrets are not stored in source control, environment files, or chat. Secret rotation procedures apply to platform tokens, API keys, and webhook signing secrets.

GitHub repositories have secret scanning enabled with push protection, preventing accidental commits of recognised secret patterns. Continuous Trufflehog scanning is run periodically against repository history.

Vulnerability management

• Continuous scanning: Aikido integrated at the GitHub organisation level scans all repositories for dependency vulnerabilities, secrets exposure, and code-level security issues.
• Dependency monitoring: GitHub Dependabot alerts and automated security updates enabled on all repositories.
• Branch protection: Force-push disabled, deletion disabled, pull request review required on protected branches.
• Triage: Findings classified as Critical, High, Medium, or Low. Critical findings are remediated within forty-eight (48) hours of confirmation. High findings within seven (7) days.
• Exception register: Where a finding cannot be remediated within the standard window, the exception is documented with the compensating control, review date, and sign-off.

Tenant isolation

Customer data is isolated at the application layer. Every database query is scoped to the requesting tenant by tenant or location identifier. Cross-tenant probe testing is performed periodically to confirm isolation, with documented results retained for audit. Service-role database credentials are server-side only and never exposed in frontend bundles or environment scopes accessible to non-production code paths.

Backups and recovery

• Daily automated backups of the primary database with seven (7) day rolling retention;
• Point-in-Time Recovery (PITR) enabled on the production database;
• Backup restore tested periodically and documented;
• Backup data is encrypted at rest and stored within the same security perimeter as production.

Logging and monitoring

• Application logs retained for 90 days;
• Security and audit logs retained for 12 months;
• Personally identifiable information is not deliberately written to operational logs. Periodic audits verify this in practice.
• Doppler audit log captures all secret access.
• Supabase auth logs capture all administrative database access.

Incident response

We maintain a written Incident Response Runbook covering classification, notification chain, evidence preservation, customer communication, and post-mortem requirements. The on-call team operates a dedicated Signal channel for rapid escalation, with Sev 1 acknowledgement targeted within fifteen (15) minutes of confirmation.

• Customer notification: In the event of a confirmed Security Incident affecting customer data, affected customers receive notification without undue delay and in any case within seventy-two (72) hours of our becoming aware of the incident, in accordance with our contractual commitments and applicable law.
• Post-mortem: Customer-facing summaries of material incidents are provided on written request to affected customers.
• Forensic preservation: Evidence is preserved during incident response in accordance with our incident response runbook, before any change is made that is not strictly required for containment.
• Sub-processor incidents: Where a sub-processor reports an incident materially affecting our service or Client Data, Mortem AI opens its own incident, notifies our customers independently, and does not rely on the sub-processor to communicate with our customers on our behalf.

Mortem AI also notifies its insurance carrier (CFC Underwriting) for all confirmed Sev 1 events within the carrier's policy reporting window.

Data handling and retention

Detailed information about how we collect, use, retain, and protect personal information is available in our Privacy Policy. In brief:

• Conversation transcripts: 24 months;
• Application logs: 90 days;
• Security and audit logs: 12 months;
• Backup data: 7 days for daily backups;
• Aggregated, anonymised statistical data: indefinitely.

Mortem AI does not train, fine-tune, retrain, or otherwise develop AI models on customer data. Our production large language model provider has contractually committed to the same.

Sub-processors

A complete, current list of sub-processors used to deliver the Services, including processing locations and purposes, is maintained at mortemai.com/subprocessors. Customers receive thirty (30) days advance notice of additions, substitutions, or removals of sub-processors that process customer data.

Compliance roadmap

What we comply with today

• PIPEDA (Canada): comparable protection standard maintained per Principle 4.1.3 of Schedule 1;
• Alberta PIPA: Section 13.1 cooperation maintained for service-provider cross-border arrangements;
• Quebec Law 25: privacy impact assessment template available for deployments serving Quebec residents; automated decision-making disclosure published in our Privacy Policy;
• US state privacy laws: CCPA/CPRA, VCDPA, CPA, CTDPA, and equivalents in other enacted states;
• California SB 1001: AI bot disclosure published in our Privacy Policy and in Sarah's first-message identification;
• TCPA, CAN-SPAM, CASL: SMS opt-out mechanisms and consent capture per Twilio's A2P 10DLC registration framework.

What's on the roadmap

• SOC 2 Type I and Type II;
• Annual independent penetration testing;
• Formal business continuity and disaster recovery programme documentation;
• Sub-processor DPA chain documentation for enterprise diligence.

Penetration testing

In parallel, continuous automated security scanning via Aikido and GitHub native scanning is operational across all repositories on a per-commit basis.

Insurance

Mortem AI maintains insurance coverage with carriers rated A- or better by A.M. Best:

• Technology Errors and Omissions liability, including AI-specific coverage for AI-generated content, algorithmic errors, and third-party large language model provider failures;
• Cyber Liability, including data breach response, regulatory defence costs, and notification expenses;
• Commercial General Liability.

Certificates of insurance are available upon written request to [email protected].

Contact

For security reports: [email protected]

For security questionnaires, compliance documentation requests, or enterprise diligence: [email protected] with your company name and the purpose of the request. We will respond within five (5) business days.

For privacy-related contact (data subject requests, DPA queries, automated decision-making requests): [email protected].

Mailing address:

Mortem AI Inc.
1717 Devney Drive
Altoona, Wisconsin 54720
United States