Security and Privacy
Overview
When you work with Sunset, you're entrusting us with some of the most sensitive information imaginable: Social Security Numbers, death certificates, financial account details, legal documents, and comprehensive information about your family's financial life. We take this responsibility extraordinarily seriously.
Sunset maintains bank-level security with enterprise-grade encryption, rigorous access controls, annual independent security audits, and comprehensive privacy protections. Our security infrastructure is designed to protect your data from unauthorized access, breaches, and misuse while ensuring the information remains accessible to you when you need it.
We are SOC 2 Type II certified, which means an independent auditing firm has verified that our security controls, processes, and systems meet the highest industry standards for protecting customer data. This certification requires annual re-auditing, ensuring we continuously maintain these security standards.
What SOC 2 Type II Certification Means
SOC 2 (Service Organization Control 2) is a rigorous auditing standard developed by the American Institute of CPAs (AICPA) specifically for service providers that handle customer data.
Type II specifically means:
Not just that we have security controls in place (Type I)
But that those controls have been tested and verified as operating effectively over an extended period (typically 6-12 months)
An independent auditing firm monitored our actual practices, not just our policies
We passed evaluation across five key trust principles:
Security - Protection against unauthorized access
Availability - Systems are available for operation and use
Processing Integrity - System processing is complete, valid, accurate, timely, and authorized
Confidentiality - Information designated as confidential is protected
Privacy - Personal information is collected, used, retained, disclosed, and disposed of properly
Why this matters to you:
Many companies claim to be "secure" or "take privacy seriously." SOC 2 Type II certification provides independent, third-party verification that our security practices actually meet professional standards.
What the audit process involves:
Comprehensive review of all security policies and procedures
Testing of technical controls (encryption, access management, etc.)
Verification that employees follow security protocols
Review of incident response procedures
Examination of vendor security (any third parties we work with)
Testing of disaster recovery and business continuity plans
Confirmation that we maintain these standards consistently over time
Annual re-certification: We don't just pass once and forget about it. SOC 2 Type II requires annual re-auditing. Every year, independent auditors return to verify we're still maintaining these security standards.
This continuous oversight ensures our security doesn't degrade over time and that we're adapting to new threats and best practices.
How We Protect Your Data
Encryption Everywhere
Your data is encrypted at multiple levels:
In transit (data moving between your device and our servers):
TLS 1.3 encryption (Transport Layer Security, the same technology banks use)
All communications between your browser and Sunset are encrypted
No data travels across the internet in plain text
This protects against interception or eavesdropping
What this means in practice: When you upload a death certificate or enter a Social Security Number, that information is immediately encrypted before leaving your device. Even if someone intercepted the communication, they would only see encrypted, unreadable data.
At rest (data stored on our servers):
AES-256 encryption (Advanced Encryption Standard, 256-bit)
This is military-grade encryption, the same level used by government agencies
All documents, personal information, and financial data encrypted in our databases
Encryption keys are managed separately from the data itself
What this means in practice: Even if someone somehow gained access to our database servers (extremely unlikely given our other protections), they couldn't read the data without the encryption keys, which are stored separately and protected by additional security layers.
In backups:
All backup data is also encrypted
Backups are stored in geographically separate locations
Multiple backup copies ensure data recovery even in catastrophic events
Backup encryption keys are separately managed
Passwordless Authentication: More Secure Than Traditional Passwords
Sunset uses a modern, more secure authentication method than traditional passwords:
How Sunset authentication works:
You enter your phone number to log in
We send a secure, one-time code via text message to that phone number
You enter the code to access your account
Each code expires after a short period and can only be used once
Why this is more secure than passwords:
No password to steal or guess:
Hackers can't steal your Sunset password because we don't have one
No password means no password to be compromised in data breaches
Can't be guessed, brute-forced, or cracked
Not vulnerable to password reuse attacks (where hackers try passwords stolen from other sites)
Phone number as identity verification:
Your phone number is tied to a physical device you control
Someone would need both your phone number AND physical access to your phone to log in
Even if someone knows your phone number, they can't receive the code without your phone
Time-limited codes:
Each code expires within minutes
Can only be used once
Old codes become invalid immediately after use or expiration
Reduces window of opportunity for attackers
SMS delivery security:
Codes are sent directly to your phone
Not stored in our systems after generation
Each authentication attempt generates a new unique code
What this means for you:
No passwords to remember:
You don't need to create, remember, or manage a complex password
No need to use password managers (though we still recommend them for other accounts)
Can't accidentally use a weak password
No password to update:
No periodic password change requirements
No "forgot password" vulnerabilities
No password reset links that can be intercepted
Simple and secure:
Enter phone number
Receive code
Enter code
Access account
If you don't have access to your phone:
Sometimes you may not have access to the phone number registered with Sunset:
Common scenarios:
Lost or stolen phone
Changed phone numbers and forgot to update account
Traveled internationally without phone access
Phone is broken or not receiving texts
Incorrectly entered phone number during signup
What to do:
Email [email protected] from any email address
Include in your message:
Your name
The deceased's name
The phone number you believe is registered (if you know it)
Brief explanation of situation
Alternative phone number if you have a new one
Our team will verify your identity through other means
We'll update your phone number or provide alternative access
You'll receive email confirmation once resolved
Identity verification without phone access: When you can't receive SMS codes, we verify your identity by:
Confirming information about the deceased and estate
Verifying details from your account history
Asking security questions based on information you provided during signup
Cross-referencing with documents you've uploaded
This ensures we're helping the legitimate account holder while maintaining security.
Response time: Usually within 24 hours, often much faster during business hours.
Access Controls and Authentication
Not everyone can access your data - in fact, very few people can:
Your access:
Unique phone number required for authentication
One-time codes for each login session
Codes expire after short period (typically 10 minutes)
Session timeout after period of inactivity (you're automatically logged out)
Login attempts monitored for suspicious activity
Multiple failed authentication attempts trigger additional security checks
Sunset employee access:
Extremely limited access to customer data
Only employees who specifically need access to help you have it
All access is logged and monitored
Regular access reviews ensure no unnecessary permissions
Background checks on all employees with data access
Signed confidentiality agreements
Role-based access: Sunset employees have different access levels based on their role:
Customer support: Can view account status, help with technical issues, but cannot see SSNs or full account numbers
Document processing team: Can view uploaded documents only when processing your case
Engineering team: Cannot access customer data in production systems
Management: Limited access, only for oversight purposes
Audit logging: Every access to customer data is logged:
Who accessed it
When it was accessed
What was viewed or modified
From what IP address
Why (ticket number or reason)
These logs are regularly reviewed for any unusual or unauthorized access patterns.
Secure Document Handling
Documents containing sensitive information (death certificates, identification, court documents, etc.) require special handling:
Upload process:
Upload only through Sunset's secure dashboard (hellosunset.com after logging in)
Never email sensitive documents to regular email addresses
Files are encrypted immediately upon upload
Virus and malware scanning on all uploaded files
Storage:
Documents stored in encrypted format
Redundant storage across multiple data centers
Geographic distribution protects against regional disasters
Automatic backups with point-in-time recovery
Transmission to institutions: When we send your documents to financial institutions:
Sent via secure methods only (encrypted email, secure portals, or physical mail)
Never sent via regular unencrypted email
Tracked for delivery confirmation
Each institution's security requirements followed
Retention and deletion:
Documents retained only as long as necessary for estate settlement
After case completion, documents can be retained for your records or deleted upon request
Deleted documents are cryptographically erased, not just removed from view
Backup copies are also purged during scheduled backup rotations
Infrastructure Security
The servers and systems that run Sunset are protected by multiple security layers:
Cloud infrastructure:
Hosted on enterprise-grade cloud platforms (like AWS or Google Cloud)
These providers maintain their own extensive security certifications
Physical security of data centers (guards, cameras, biometric access)
Environmental controls (fire suppression, climate control, power redundancy)
Network security:
Firewalls protecting all systems
Intrusion detection systems monitoring for attacks
DDoS protection (Distributed Denial of Service attacks)
Network segmentation isolating sensitive systems
Virtual Private Networks (VPN) for any remote employee access
Application security:
Regular security updates and patching
Vulnerability scanning of all code
Secure coding practices followed by development team
Code review process before any changes go live
Staging environments for testing before production deployment
Monitoring and alerting:
24/7 monitoring of all systems
Automated alerts for suspicious activity
Security Information and Event Management (SIEM) system
Real-time detection of potential security incidents
Testing and Verification
We don't just set up security and assume it works - we regularly test it:
Penetration testing:
Annual penetration tests by independent security firms
"Ethical hackers" attempt to break into our systems
Tests cover web application, network, and infrastructure security
Any vulnerabilities discovered are immediately addressed
Re-testing after fixes to confirm resolution
Vulnerability scanning:
Automated scanning of all systems multiple times per week
Identification of known vulnerabilities in software components
Prioritized remediation based on severity
Tracking of all findings and resolutions
Security assessments:
Regular internal security reviews
Third-party security audits (beyond SOC 2)
Compliance assessments for relevant regulations
Red team exercises (simulated attacks)
Authentication security testing:
Regular testing of SMS code delivery
Monitoring for SMS interception attempts
Testing of rate limiting and brute force protections
Verification of code expiration mechanisms
Bug bounty consideration: While not currently operating a public bug bounty program, we take reports of security vulnerabilities seriously and have processes for security researchers to report issues responsibly.
Privacy Protections
Security protects data from unauthorized access. Privacy governs how we use, share, and manage your information:
What we collect:
Information you provide: deceased's name, date of birth, date of death, SSN, addresses
Your information: name, phone number, relationship to deceased, contact information
Documents you upload: death certificates, court documents, identification
Account discovery results: accounts found, balances, institutions
Usage information: how you use Sunset, pages visited, features used
Phone number for authentication
What we don't collect:
We don't access your personal financial accounts
We don't track your browsing outside of Sunset
We don't sell or share your data with third parties for marketing
We don't use your data for purposes unrelated to your estate settlement
We don't store passwords (because we don't use them)
How we use your information:
To provide our services (account discovery, document preparation, closure coordination)
To communicate with you about your case
To verify your identity and authority
To send authentication codes to your phone
To submit documents to financial institutions on your behalf
To comply with legal obligations
To improve our services (aggregate, anonymized data only)
Who we share information with:
Financial institutions: Only the information they need to process your requests (death certificate, account numbers, etc.)
Our banking partner: To set up estate bank account
SMS provider: Your phone number to deliver authentication codes (under strict privacy agreement)
Service providers: Companies that help us operate (cloud hosting, email services, etc.) - all under strict confidentiality agreements
Legal authorities: Only if required by law (court orders, subpoenas)
Who we DON'T share with:
Marketing companies
Data brokers
Other customers
Social media platforms
Anyone else not directly necessary for providing our services
Your privacy rights:
You have the right to:
Access all your data we hold
Correct inaccurate information
Request deletion of your data (after estate settlement complete)
Update your phone number at any time
Opt out of non-essential communications
Know how your data is being used
Receive your data in portable format
To exercise these rights, email [email protected] with your request.
Data Sharing with Multiple Heirs
When multiple family members are involved in an estate:
Controlled access:
Primary account holder (executor) controls who has access
Additional users can be granted viewing access
Each additional user needs their own phone number for authentication
Viewing access level can be read-only or allow communication with support
Primary account holder can revoke access at any time
What additional users can see:
Discovered accounts and status
Closure progress
Estate bank account balance (if granted)
Communications from Sunset
What additional users cannot see:
Full Social Security Numbers (may be partially masked)
Highly sensitive documents (configurable by primary user)
Account credentials or security settings
Primary user's phone number
Privacy between heirs: If you're concerned about sharing certain information with other heirs, you can:
Grant limited access (view account status but not documents)
Share only summary information
Handle everything yourself without granting access
Example: Executor grants her brother viewing access to see which accounts have been found and closure status, but doesn't grant access to view uploaded documents or full SSN, maintaining some privacy while providing transparency. Brother logs in with his own phone number.
Secure Communication Practices
How to communicate securely with Sunset:
For sensitive information:
Use in-app secure messaging (after logging in)
Reply to emails from @hellosunset.com (our email system is secure)
Upload documents through dashboard only
What to avoid:
Don't email sensitive documents to personal email addresses
Don't send SSNs via regular unencrypted email
Don't text sensitive information
Don't share authentication codes with anyone
If you accidentally sent something insecurely: Email [email protected] and we'll help you delete it and re-send securely.
Email security:
All Sunset emails are sent from @hellosunset.com domain
We use email authentication (SPF, DKIM, DMARC) to prevent spoofing
Our email system encrypts messages in transit
Sensitive information in emails is masked or avoided
Beware of phishing:
Sunset will never ask for your authentication code via email
We won't request sensitive information via unsolicited email
Always verify email sender is actually @hellosunset.com
Suspicious email? Forward to [email protected] for verification
SMS security:
Authentication codes are only sent to your registered phone number
Codes expire quickly (typically 10 minutes)
Each code can only be used once
Never share authentication codes with anyone, including people claiming to be from Sunset
Sunset will never call or email asking for your authentication code
Account Security Best Practices
You play an important role in security too:
Protect your phone number:
Your phone number is your key to accessing Sunset
Keep your phone secure with a passcode or biometric lock
Don't share your phone with untrusted individuals
Be aware of SIM swap attacks (contact your mobile carrier about protection)
Protect authentication codes:
Never share authentication codes with anyone
Not with family members, not with people claiming to be from Sunset, not with anyone
Codes are for your use only
Each code expires quickly and should be used immediately upon receipt
Update your phone number if it changes:
Log in to Sunset and update your phone number in settings
Or email [email protected] with your new number
Keep your contact information current to maintain access
Don't share account access:
Each person who needs access should have their own login with their own phone number
Don't give your phone to family members to log in as you
If multiple heirs need access, use Sunset's multi-user features
Secure your devices:
Use password/biometric lock on phone and computer
Keep operating system and browser updated
Use antivirus software
Avoid using Sunset on public computers (libraries, internet cafes)
Enable "Find My Phone" features in case your device is lost or stolen
Secure your connection:
Avoid using Sunset on public WiFi when possible
If you must use public WiFi, use a VPN
Ensure you see "https://" and lock icon in browser address bar
Log out when finished:
Especially on shared computers
Use "log out" button rather than just closing browser
Clear browser history on shared computers
Your session will automatically expire after inactivity
Monitor account activity:
Review login history if available
Report any suspicious activity immediately
If you receive authentication codes you didn't request, someone may be trying to access your account
Change your phone number if compromised and contact support immediately
Incident Response and Breach Notification
Despite all protections, no system is 100% immune to security incidents. Here's what we do if something goes wrong:
Incident response plan:
Immediate containment of any security incident
Assessment of scope and impact
Forensic investigation to understand what happened
Remediation to fix the vulnerability
Review and improvement of security measures
Breach notification: If there's ever a data breach affecting your information:
We'll notify you promptly (as required by law, typically within 72 hours)
Explain what information was affected
Describe what we're doing about it
Provide guidance on how to protect yourself
Offer credit monitoring or identity theft protection if appropriate
Transparency: We believe in transparent communication about security. If something happens, we'll tell you clearly and honestly rather than minimizing or hiding the issue.
Third-Party Security
Sunset works with carefully selected vendors and partners:
Vendor security requirements:
All vendors must meet minimum security standards
SOC 2 or equivalent certification preferred
Contractual requirements for data protection
Regular vendor security assessments
Right to audit vendor security practices
Examples of third parties and their security:
Cloud infrastructure provider (AWS, Google Cloud, Azure):
SOC 2, ISO 27001 certified
Physical security of data centers
Network and infrastructure security
Their certifications supplement ours
SMS provider (for authentication codes):
Secure API connections
Encrypted transmission of messages
Privacy protections for phone numbers
Reliable delivery infrastructure
No storage of message content after delivery
Banking partner (for estate accounts):
FDIC-insured bank
Regulated financial institution with comprehensive security requirements
Bank-level security for all account data
Separate authentication for bank account access
Email service provider:
Encrypted transmission
Spam and malware filtering
Compliance with email security standards
Document storage:
Encrypted storage
Access controls and logging
Redundant, geographically distributed
Regular security audits
Customer support platform:
Secure access controls
Encryption of customer data
Audit logging
Privacy compliant
Data Minimization
We collect and retain only what we need:
What this means:
We don't ask for information we don't need
We don't store information longer than necessary
We don't access more data than required for specific tasks
We provide options to delete data when no longer needed
Examples:
We need: Deceased's Social Security Number (for account discovery and verification) We don't need: Your children's names unless they're heirs
We need: Death certificate (legal requirement for account closures) We don't need: Medical records or detailed cause of death information
We need: Your phone number (for secure authentication) We don't need: Your full phone history or call logs
We need: Your contact information (to communicate with you) We don't need: Your full employment history
Data retention periods:
During active case: All data retained as needed for estate settlement
After case completion:
Documents and data retained for your reference (1-2 years typical)
Option to request deletion at any time after completion
Some information retained longer for legal compliance (7 years for financial records)
Payment records retained per financial regulations
Authentication logs retained per security requirements
After account closure:
If you close your Sunset account, data deleted within 30 days
Some audit logs retained longer for security purposes
Financial transaction records retained per regulations
Regulatory Compliance
Sunset complies with relevant privacy and security regulations:
Gramm-Leach-Bliley Act (GLBA):
Federal law governing financial institutions
Requires protection of customer financial information
Mandates privacy notices and opt-out rights
Regular compliance assessments
State privacy laws:
California Consumer Privacy Act (CCPA)
Other state privacy laws
Right to know, delete, and opt-out of data sales
Sunset doesn't sell customer data, making compliance simpler
Telephone Consumer Protection Act (TCPA):
Governs SMS communications
Requires consent for automated messages
Authentication codes sent only to phone numbers you provide
Opt-out available for non-essential messages
Financial regulations:
Know Your Customer (KYC) requirements
Anti-Money Laundering (AML) compliance
Working with regulated banking partner
Industry best practices:
NIST Cybersecurity Framework
OWASP security guidelines
ISO 27001 information security standards
Transparency About Security
We believe in being transparent about our security practices:
What we share publicly:
High-level security approach (like this article)
Certifications and compliance (SOC 2 Type II)
General security practices
Authentication methodology
What we don't share publicly:
Specific technical details that could aid attackers
Exact infrastructure configuration
Detailed incident response procedures
Names of specific security vendors
SMS provider API details
This balance ensures you understand our security approach while not providing a roadmap for potential attackers.
Comparing Sunset's Security to Alternatives
Sunset vs. Handling Estate Yourself:
If you handle estate yourself:
Documents stored on your personal devices (laptop, phone, email)
Personal devices often less secure than enterprise systems
No encryption at rest for most personal files
Home internet less secure than enterprise infrastructure
No security audits or monitoring
Single point of failure (your device)
Passwords for various accounts to manage
Sunset provides:
Enterprise-grade encryption
Professional security infrastructure
Passwordless authentication (more secure)
Regular audits and testing
24/7 monitoring
Redundant, backed-up storage
SOC 2 Type II certification
Sunset vs. Local Attorney:
Attorney office security varies widely:
Some have good security, many don't
Often store documents in filing cabinets (physical security only)
Email attachments of sensitive documents common
May not have IT security expertise
No independent security audits
Smaller practices especially vulnerable
Password-based systems (if digital at all)
Sunset provides:
Consistent, audited security standards
Digital security expertise
Encrypted storage and transmission
Passwordless authentication
Regular security testing
Both Sunset and attorneys can be secure, but Sunset's dedicated digital infrastructure often provides better protection than small law office IT systems.
Common Security Questions
"Is my data safe with Sunset?"
Yes. We use the same level of security as major financial institutions. Our SOC 2 Type II certification provides independent verification that we maintain these security standards consistently. Our passwordless authentication system is more secure than traditional password-based systems used by most companies.
No system is 100% unhackable, but we employ industry-leading protections and continuously monitor for threats.
"Why don't you use passwords like other sites?"
Traditional passwords have significant security weaknesses:
People reuse passwords across sites
Passwords can be stolen in data breaches
Passwords can be guessed or brute-forced
People forget passwords and use weak ones
Passwordless authentication using SMS codes to your phone is more secure because:
Nothing to steal or guess
Requires physical access to your phone
Codes expire quickly
Each login requires a fresh code
This is the same technology used by banks and other high-security applications.
"Who at Sunset can see my information?"
Very few people. Only employees who specifically need access to help you can view your data. All access is logged and monitored. Customer support can see account status but not full SSNs or sensitive documents. Document processors can view uploaded files only when actively working on your case.
"What if someone steals my phone?"
If your phone is stolen:
Contact your mobile carrier immediately to suspend service
This prevents the thief from receiving authentication codes
Email [email protected] to update your phone number
We'll verify your identity through other means and update your number
The thief would need to unlock your phone (if you have a passcode/biometric lock) AND receive the SMS code to access Sunset. Acting quickly to suspend mobile service provides strong protection.
"What if I accidentally give someone my authentication code?"
Authentication codes expire within 10 minutes and can only be used once. If you accidentally shared a code:
Don't use that code yourself
Let it expire (wait 10 minutes)
Request a new code for your next login
Email [email protected] to report the incident
The expired code cannot be used to access your account. However, never share authentication codes - Sunset will never ask for them.
"Can I use Sunset if I don't have a cell phone?"
Sunset requires a phone number capable of receiving SMS text messages for authentication. This can be:
A mobile phone with SMS capability
Some landline phones with text messaging features
Some VoIP services that support SMS
If you don't have access to SMS, email [email protected] and we'll discuss alternative options for your specific situation.
"What if I change my phone number?"
You can update your phone number at any time:
Log in to your Sunset account (using your current number)
Go to account settings
Update your phone number
Verify the new number with a test code
Or email [email protected] and we'll update it for you after verifying your identity.
"What if I upload the wrong document?"
Contact us immediately at [email protected]. We'll delete the incorrect document from our systems. Always review files before uploading to ensure you're uploading what you intend.
"Can I delete my data after the estate is settled?"
Yes. After your estate settlement is complete, you can request deletion of your data. Some financial records must be retained for regulatory compliance (typically 7 years), but personal documents and most information can be deleted upon request.
"Is Sunset's security better than storing files on my computer?"
Generally yes. Enterprise systems like Sunset provide encryption, backups, monitoring, and redundancy that consumer devices don't have. Your personal laptop likely isn't encrypted, isn't backed up to multiple locations, and isn't monitored by security professionals 24/7. Additionally, Sunset's passwordless authentication is more secure than the password-based systems most people use.
"What happens if Sunset gets hacked?"
We have comprehensive incident response procedures. We would immediately contain the breach, assess the impact, notify affected customers, and work with law enforcement and forensic security experts. We'd also offer credit monitoring or identity theft protection services if appropriate.
More importantly, our security measures make a successful breach extremely unlikely.
"Can government agencies access my data?"
We only provide information to government agencies when legally required (valid court orders, subpoenas, etc.). We don't provide voluntary access. If we receive a lawful request, we comply with legal obligations while protecting your rights to the extent possible under law.
"How do I know this is really Sunset and not a phishing site?"
Always check the URL: https://hellosunset.com. Look for the lock icon in your browser's address bar. Our SSL certificate verifies this is the legitimate Sunset site. If you're ever uncertain, type the URL directly rather than clicking links in emails. Authentication codes will only be sent to the phone number you registered, so if you receive codes from an unexpected source, don't use them.
"What if I receive an authentication code I didn't request?"
If you receive an authentication code via SMS but didn't try to log in:
Don't use the code
Someone may be trying to access your account
Let the code expire (it expires in 10 minutes)
Email [email protected] immediately to report the incident
Consider whether your phone number might be compromised
We can investigate and add additional security measures to your account if needed.
What To Do If You Have Security Concerns
If you suspect unauthorized access to your account:
Don't use any authentication codes you receive
Email [email protected] with subject "SECURITY CONCERN"
We'll investigate login attempts
We may temporarily restrict access while we verify your identity
Consider contacting your mobile carrier about SIM swap protection
If you think you received a phishing text:
Don't click any links in the text
Don't provide any information
Delete the message
Contact [email protected]
Real Sunset authentication codes come only in response to your login attempts
If you accidentally sent sensitive information insecurely:
Email [email protected] immediately
We'll help you securely re-send
We'll ensure insecure copy is deleted
If you shared an authentication code with someone:
Let the code expire (wait 10 minutes)
Email [email protected] to report the incident
We'll monitor for unauthorized access attempts
Consider updating your phone number if you believe it's compromised
If your phone was lost or stolen:
Contact your mobile carrier to suspend service immediately
Email [email protected] to update your phone number
We'll verify your identity and update to a new number
The suspended phone number cannot receive new authentication codes
To report a security vulnerability: Email [email protected] (if you're a security researcher who discovered a potential vulnerability). We appreciate responsible disclosure and take all reports seriously.
Additional Resources
To learn more about our security and privacy practices:
Review our Privacy Policy at hellosunset.com/privacy
Review our Terms of Service at hellosunset.com/terms
Request a copy of our SOC 2 report (available to customers under NDA)
For specific security questions: Email [email protected] with subject "Security Question"
The Bottom Line on Security and Privacy
Sunset handles your most sensitive information with the highest level of security:
Bank-level encryption protecting data everywhere
SOC 2 Type II certification verified by independent auditors
Passwordless authentication more secure than traditional passwords
Regular penetration testing and security audits
Strict access controls limiting who can see your data
Comprehensive privacy protections
Transparent communication about our practices
Your information is safer with Sunset's enterprise security infrastructure than on personal devices or in typical small office environments. We invest heavily in security because we understand the sensitivity and importance of the information you've entrusted to us during this difficult time.
Our passwordless authentication system eliminates the vulnerabilities associated with traditional passwords while providing a simpler, more secure way to access your account. Your phone number and physical possession of your phone provide strong two-factor authentication without the hassle of password management.
If you have any questions or concerns about security and privacy, or if you need help accessing your account, please don't hesitate to contact us at [email protected]. We're here to ensure you feel confident that your information is protected and that you can always access your account when needed.