Memorial Data Deserves the Highest Standard of Care
Memorial content is among the most personal data anyone can entrust to a platform. Every architectural decision at Candela starts with the question: is this worthy of the families who trust us?
Encrypted in Transit and at Rest
What this means: All memorial data is protected by the same encryption standards used by banks and healthcare platforms.
All communication between your browser and Candela is encrypted using TLS 1.2 or higher. HSTS is enforced with a two-year max-age, includeSubDomains, and preload directives, ensuring browsers never make an unencrypted request to candela.memorial.
Memorial photos are stored in Cloudflare R2 object storage with AES-256 encryption at rest and per-bucket access controls. Database records are stored in Turso (distributed SQLite) with encryption at rest. Presigned upload URLs are time-limited and origin-pinned to prevent unauthorized writes.
Passwords are never stored in plaintext. They are hashed using bcrypt with a cost factor of 12 and validated against a server-side complexity policy (uppercase, lowercase, and digit required). Per-account lockout activates after five failed attempts within fifteen minutes, using bcrypt cost-factor consistency across all login attempts to minimize timing variance.
Session Security
What this means: Login sessions are cryptographically secured, and compromised passwords can be revoked instantly across all devices.
Authentication tokens are JSON Web Tokens signed with HMAC-SHA256 and pinned to the HS256 algorithm. Tokens include a server-side version number that enables immediate session revocation. When a user resets their password, all prior sessions are invalidated instantly.
Tokens are stored in httpOnly cookies with Secure and SameSite=Lax attributes, preventing client-side JavaScript access and mitigating cross-site request forgery. JWT secrets are a minimum of 32 characters in production, enforced at application startup.
Candela supports passwordless sign-in through magic links delivered via email and Apple Sign-In for native device authentication. Magic link tokens are single-use and transmitted exclusively via POST requests.
Apple Wallet Integration
What this means: Prayer cards use the same signing technology as airline boarding passes and cannot be forged or tampered with.
Every Candela prayer card is a cryptographically signed PKPass file generated using Apple Developer Program signing certificates and the Apple Worldwide Developer Relations (WWDR) intermediate certificate. iOS verifies the cryptographic signature chain before a pass can be added to a user's Wallet. Signing certificates and private keys are stored securely on the server, never exposed to client-side code, and rotated according to Apple's certificate lifecycle.
Each pass has a unique serial number generated with a cryptographically secure random UUID, and an authentication token generated from 32 bytes of cryptographic randomness. The raw token is embedded in the pass for device registration callbacks. The server stores only a SHA-256 hash of the token and verifies it using timing-safe comparison, preventing both token extraction from the database and timing-based attacks.
The PassKit web service validates the pass type identifier and serial number format before any authentication check, rejecting malformed requests at the earliest possible stage. Conditional requests are supported through If-Modified-Since/304 responses to minimize unnecessary data transfer. Push notifications are delivered through Apple Push Notification service (APNs) over HTTP/2 with connection pooling and ES256-signed JWT authentication.
Once saved, prayer cards are available offline on the device without any internet connection. No personal information from the attendee is collected during the save process.
Role-Based Permissions
What this means: Each person gets access to exactly what they need and nothing more, enforced on every request.
Every memorial has a role hierarchy: owner, coordinator, editor, and viewer. Each role determines what actions a user can take. Only owners can transfer ownership or delete a memorial. Coordinators manage content moderation, invitations, and visibility settings. Editors can add and edit content. Viewers have read-only access.
Organization accounts support multiple staff members with their own role hierarchy: owner, director, and staff. Role checks are enforced server-side on every API request. Memorial-scoped queries always include the memorial identifier in the WHERE clause, preventing cross-memorial data access.
Memorial pages are private by default, accessible only through a direct link. Families choose whether to make their memorial public. Photo contributions from non-trusted users go through a moderation queue before appearing on the memorial.
Defense in Depth
What this means: Multiple independent security layers protect against common web attacks, from spam bots to data injection.
Candela enforces a strict Content Security Policy that restricts script sources, prevents framing (X-Frame-Options: DENY, frame-ancestors: none), and blocks MIME type sniffing. The Permissions-Policy header disables camera, microphone, geolocation, payment, USB, and display-capture APIs by default.
All user input is validated with Zod schemas at the API boundary before any processing occurs. File uploads are validated server-side for file size (1 byte to 50 MB), MIME type (JPEG, PNG, WebP, and HEIC only), filename (no path separators), and magic bytes (verified with Sharp after upload). Rate limiting is applied to authentication, card generation, photo upload, inquiry, and invitation endpoints.
Guestbook entries use honeypot fields to block automated spam. The system returns a successful response to honeypot submissions to prevent bots from adapting. Webhook endpoints verify cryptographic signatures (Svix for email delivery, Twilio for SMS) before processing any payload.
Your Families' Data, Your Custodianship
What this means: Family data is never sold, never used for advertising, and can be fully exported or deleted at any time.
Candela never sells personal information or memorial content to any third party for any purpose. Memorial photos are never used for advertising, marketing, or AI model training without explicit consent. Data is used solely to provide the memorial service.
Candela is designed with GDPR and CCPA compliance considerations from the ground up, including data subject access rights, the right to erasure, and data portability. Families can request a complete export of their memorial content at any time, and Candela will deliver the export and delete their data within thirty days of the request.
Candela does not process protected health information (PHI). Memorial content, including names, dates, photos, and guestbook messages, is not classified as PHI under HIPAA.
Funeral homes retain full custodianship of memorial data for the families they serve. A Data Processing Agreement (DPA) is available for funeral home partners upon request. Contact hello@candela.memorial to request one.
What Happens to Memorial Data
Memorial pages are permanent. They do not expire after thirty days or require renewal fees. Families can return to their memorial at any time to add content, view messages, or simply remember.
If Candela were to cease operations, we commit to providing at least ninety days of written notice and a complete data export for every active memorial. Memorial owners can also request a full export at any time through their dashboard.
Candela runs on Railway with automated deployments, health checks, and zero-downtime deploys. Photo storage is on Cloudflare R2 with built-in redundancy across multiple data centers.
Talk to Us About Security
Schedule a walkthrough and we'll answer any security or data questions your team may have. Or review the full policies below.