Security & Responsible Disclosure
Last updated: August 29, 2025
BabyShield is built with a privacy-first, security-by-design approach. This page explains our technical safeguards,
data handling practices, and how to report potential vulnerabilities safely and responsibly.
Security Status: Operational
All systems protected with encryption, access controls, and continuous monitoring.
End-to-End Encryption
All data in transit uses HTTPS/TLS encryption. Industry-standard encryption at rest via our cloud provider.
Zero-Knowledge Auth
Sign in with Apple/Google. We don't store your email - only internal UUID and provider subject ID.
Minimal Data Footprint
Privacy-by-design architecture. User control with in-app delete and export functions.
Continuous Monitoring
Real-time security monitoring, rate limiting, and structured error handling with trace IDs.
Architecture & Data Flow
High-Level Security Architecture
Mobile Auth
Sign in with Apple/Google. Provider subject ID mapped to internal UUID.
API Validation
Request validation, rate limiting, unified error handling with trace IDs.
Data Processing
Official agency data aggregation. Minimal user data storage.
Security Controls & Features
Authentication Security
Apple and Google handle identity proofing. Backend verifies tokens using official public keys and standard libraries.
Rate Limiting
Per-IP and per-account throttles protect against brute force, enumeration, and scraping attacks.
Input Validation
All query parameters and request bodies validated. Special characters normalized or rejected appropriately.
Environment Separation
Development/test and production environments separated. Production data never used in development.
Backup & Recovery
Automated database snapshots with periodic restore drills. Encrypted backups on rolling schedule.
Error Handling
Consistent JSON error schema with trace IDs for support. No sensitive stack traces exposed.
Data Protection & Privacy
What We Store
Internal
user_id (UUID) and provider sub only. No email collection for login.
Crash Diagnostics
Optional, opt-in anonymized crash logs (no user ID attached) help improve app stability.
Data Retention
Logs retained ≈30-90 days. Support records up to 3 years for compliance. See Privacy Policy for details.
User Control
In-app delete and export actions. Web requests initiate data removal within statutory timelines.
Responsible Disclosure Policy
Report Security Vulnerabilities
We welcome vulnerability reports. Please follow these guidelines to help keep users safe.
2
Include Details
Technical details: affected endpoint/app version, reproduction steps, impact, logs or screenshots
3
Wait for Response
We acknowledge reports within 3 business days and work toward prompt remediation
⏱️ Response Timeline
3 Days
Acknowledgment
Variable
Assessment
ASAP
Remediation
Safe-Harbor Guidelines
Allowed Testing
Test only against your own account and data. Avoid service degradation like DDoS or excessive brute forcing.
Out of Scope
No social engineering, physical intrusion, or spam. Reports on outdated app versions not in current stores.
Incident Communication
📡 How We Communicate Incidents
If we determine that an incident materially affects users or legal obligations require it, we will provide notice via appropriate channels and include recommended user actions.
In-App Messages
Critical security updates delivered directly through the app
Website Notices
Public security advisories posted on our website
Direct Email
When email addresses are available for support communications
Security Contact
Cureviax Research LLC
1111B S Governors Ave STE 34726, Dover, DE 19904, United States
Security Email: support@babyshield.cureviax.com
Website: https://babyshield.cureviax.com
1111B S Governors Ave STE 34726, Dover, DE 19904, United States
Security Email: support@babyshield.cureviax.com
Website: https://babyshield.cureviax.com
For privacy requests, see Privacy Policy and Data Deletion