GetWillHome

Security overview

Security is built into account access, document handling, and support operations across the platform.

This page explains the practical controls in place across account access, draft recovery, document delivery, and support operations. It is written for both customers and technical reviewers.

Each section is split into what this means for you, plus a behind-the-scenes assurance view for technical reviewers.

Technical detail on this page is intentionally limited to control categories and assurance approach, not configuration values or defensive internals.

Defence in depth: multiple controls at transport, application, and operational levels.

Least privilege: staff and users only receive the minimum access required.

Data minimisation: only necessary data is collected for delivery, support, and compliance duties.

Traceability: sensitive actions are logged for investigation and governance.

Raise security ticketEmail support@getwill.co.ukVulnerability reporting

Encryption and transport security

What This Means For You

Information is encrypted as it travels between your device and our service, and browser protections are enforced to reduce common web attack risks.

Behind The Scenes

  • HTTPS/TLS is used for data in transit.
  • Response-level browser protections are enforced to reduce common web exploitation paths.
  • Session cookies use secure and HTTP-only protections in production.
  • Transport policies enforce encrypted connections in production environments.

Authentication and session hardening

What This Means For You

Account access uses expiring, one-time sign-in links. Sessions are protected so only the intended person can continue an in-progress matter.

Behind The Scenes

  • Magic-link tokens are single-use and time-limited.
  • Authentication tokens are stored server-side in non-recoverable form.
  • Session identifiers are generated using strong entropy.
  • Session and auth checks are performed on protected account and admin routes.

Authorisation and least privilege

What This Means For You

People only get access to the information they are meant to see. Customer data, support data, and admin actions are separated by permissions.

Behind The Scenes

  • Role and ownership checks are applied to sensitive API routes.
  • Administrative routes are gated independently from customer routes.
  • Document sharing and ticket visibility are constrained by account relationship and role.
  • Sensitive actions are tied to authenticated identity before execution.

Input validation and anti-abuse

What This Means For You

We filter malicious or malformed requests to help keep forms reliable and reduce spam, bot abuse, and brute-force behaviour.

Behind The Scenes

  • Structured schema validation is used on critical request bodies.
  • Input sanitisation is applied before processing sensitive flows.
  • Payload size limits and honeypot checks reduce automated abuse.
  • Layered rate controls are applied on high-risk routes such as verification and authentication.

Document integrity and controlled release

What This Means For You

Document access is controlled. Shared files can expire, be revoked, and be limited to approved recipients and download conditions.

Behind The Scenes

  • Generated files use integrity verification controls.
  • File shares support expiry windows, revocation, and download limits.
  • Recipient checks can require matching authenticated identity before access.
  • Document updates are saved as new versions rather than silently replacing prior outputs.

Auditability and incident readiness

What This Means For You

Important actions are recorded so issues can be investigated quickly and accurately.

Behind The Scenes

  • Security-relevant events are recorded in a tamper-evident audit trail.
  • Audit controls support detection of unauthorised modification attempts.
  • Audit events support operational triage, incident response, and data access review workflows.
  • Support and admin workflows are traceable for accountability.

Data protection and disclosure controls

  • Payment card details are handled by the payment processor; full card data is not stored in the platform application database.
  • Data access and export requests are staff-gated, identity-checked, and reviewed before release to reduce the chance of disclosure to the wrong person.
  • Where unpaid outputs exist, workflows can disclose status and account metadata while restricting access to unpaid generated documents.
  • Support and admin actions on sensitive data require role checks and are logged for accountability.

If you start on one device, you can continue on another

Drafts and progress are linked to your verified access flow so you can safely resume without losing work.

If something looks wrong, you can report it quickly

Security and privacy concerns can be raised through support and are triaged with priority handling when account safety is involved.

If you request your data, responses are controlled

Exports are reviewed before release to avoid disclosing data to the wrong person or releasing files outside authorised access rules.

How to report a concern quickly

Include the affected email/account, approximate time, pages or actions involved, and any screenshots or error text. That allows faster triage and containment.

Report a vulnerabilityRaise a security support ticket

This overview is intentionally high-level and does not publish implementation detail that would materially reduce system security.