Vault Security

We believe that storing important documents in your HPM Partners Digital Vault is more secure than paper copies ever were. HPM Partners employs a variety of measures to ensure private information stored in your digital vault is safe, and secure from prying eyes. We selected Summitas, LLC as our Private Office partner because they meet the strict privacy and security requirements we believe are needed for people to feel safe storing highly personal and life-critical information accessible from the Internet.

You also have an important role to play in keeping your information confidential. Here's what you can do:

  • Keep your security information (Login ID and Password, challenge questions and answers, and document passphrases) in a secure place that cannot be compromised. Storing the information in a human readable form on your computer is not advisable.
  • Make sure you have a frequently updated anti-virus program running on the computers you use to access the HPM Partners Private Office.
  • Do not share your security information via unencrypted email (we recommend you place a phone call or share the information in person).

The following techniques ensure that only you, and those you appoint, can gain access to information stored in your digital vault:

  • Documents stored using HPM Partners Private Office are encrypted on YOUR computer utilizing state-of-the-art encryption standards BEFORE being uploaded to your digital vault. When you want to read a document in your vault, the encrypted file is decrypted AFTER being downloaded to YOUR computer
  • Encrypting and decrypting files only on your computer adds an additional measure of security. Why? A common practice of websites is to encrypt clear text (human readable) files using the Secure Sockets Layer (SSL) protocol while in transit between your computer and the Web server (you know you are using SSL when the URL in your browser's address bar begins with https://). SSL encrypts data while it traverses the Internet and automatically decrypts it when it arrives at the destination. While this is the approach used by most websites for credit card transactions and the handling of personal identifiable information, it introduces a potential weakness for files that must remain encrypted in storage, like those in your digital vault. The potential risk arises from the fact there's a brief moment when the clear text file is readable on the server after being decrypted by SSL and prior to being re-encrypted by the servers' encryption software. That brief moment when the file is readable on the server provides an opening for criminal attacks. The HPM Partners approach ensures your information is encrypted at all times after it leaves your computer.
  • For the digital vault, HPM Partners uses SSL only as a second line of defense since files transiting the Internet are already encrypted locally on your computer. In effect, your files are doubly encrypted: first locally in your computer, and second, during transmission using SSL. The major benefit of this approach is that in the unlikely event an SSL encrypted transmission is decoded, the decoded data would be encrypted and therefore useless.

Uploading Files TO Your Digital Vault

Downloading Files FROM Your Digital Vault

How it works

  • The encryption mechanism employed for document encryption is known as "block cipher cryptography" and the algorithm is called the Advanced Encryption Standard (AES).  AES was adopted as an encryption standard by the United States Government for managing its own secret documents and is used worldwide to protect sensitive data. The National Institute of Standards and Technology (NIST) announced its use in U.S. Federal Information Processing Standard (FIPS) Publication 197 on November 26, 2001 after a 5-year standardization process. See: for more information.
  • Every document you store with HPM Partners is encrypted and decrypted using a passphrase. A second block cipher algorithm, known as Triple DES, is used to encrypt your passphrases on YOUR computer BEFORE transmitting them for safe storage. Triple DES (Data Encryption Standard), as the name suggests, is applied three times to the same data for maximum security. Since HPM Partners encrypts your passphrase before storing it, even if a hacker managed to break into the website and decrypt the passphrase, your document could still not be decrypted without access to your login credentials (Login ID and Password). Similarly, if someone gained access to your login credentials, but did not possess your document passphrases, they would need to know the answers to at least two challenge questions in order to recover your passphrases and decrypt your documents.
  • Small programs are downloaded in real-time from The HPM Partners site to manage the encryption/decryption process. These "Java Applets" are digitally signed using a sophisticated digital certificate mechanism based on an industry standard (X.509) and provided by VeriSign®, the worldwide leader in digital security for the Web. In the unlikely event a hacker was able to gain access to, and then modify a Java Applet created for HPM Partners, you would be immediately notified that the digital signature of the modified applet was invalid and that the applet should not be trusted. See for more information.
  • All confidential information you send to, or receive from, HPM Partners Private Office, including already encrypted documents, is encrypted using SSL V3 (Secure Sockets Layer) using 256-bit encryption with modern browsers or 128-bit encryption with older browsers (HPM Partners does not allow SSL to encrypt with less than 128-bit encryption). SSL V3 is the latest standard for encrypting sensitive information while in transit over the Internet.

Security Outside the Digital Vault

  • The HPM Partners Private Office also uses Triple DES to encrypt Private Messages, Private Forums, and Calendar Events. Member permissions used to assign digital vault access rights do not expose personal identifiable information (PII) of the office owner or office members.

Third-party Compliance

  • HPM Partners selected Summitas, in part, because it adheres to the above security and privacy standards. The security techniques Summitas employs are advanced. The U.S. Government's Bureau of Industry and Security, U.S. Department of Commerce has approved Summitas' use of the technologies for the website, including the HPM Partners Private Office.  See: for more information.

  • The entire Summitas website, including the HPM Partners Private Office, is scanned on a daily basis for security vulnerabilities by McAfee® SECURE. If McAfee finds a vulnerability, Summitas must correct the problem quickly or lose the McAfee® SECURE logo. Summitas' use of McAfee helps keep you safe from identity theft, credit card fraud, spyware, spam, viruses, and online scams. See: for more information.

  • The VeriSign Secured logo present on the Summitas website indicates the validity of the VeriSign digital certificate used to authenticate the Summitas site (thereby demonstrating that you are on the real HPM Partners Private Office within the Summitas website—make sure the URL in your browser's address bar always begins with while on the Summitas site). The VeriSign digital certificate is also used to digitally "sign" the Java Applets used by the digital vault (indicating to you that the Java Applets are genuine; your browser should prompt you if the signed Java Applet has a digital signature mismatch). You can also verify the validity of the Summitas digital certificate by clicking on the VeriSign Secured™ logo.

  • The TRUSTe logo present on the HPM Partners Private Office at is awarded to companies who pass a rigorous test to ensure they employ privacy "best practices" in their disclosures, handling of personal identifiable information, notifications, and email options. The Summitas Privacy Policy at outlines our practices. In the event Summitas does not respond promptly to your privacy concerns, TRUSTe will help process your complaint (see:

  • HPM Partners Private Office is a service running within Summitas; Summitas is hosted at SunGard Data Systems. SunGard is the premier provider of integrated recovery, managed production hosting, and business continuity services for high-availability websites like