Skip to main content

Security Policy

Last updated: February 1, 2026

Security Commitment

At Bedtime Stories, security is not just a feature - it's the foundation of our service. We've built our platform with multiple layers of protection to safeguard your account information and story content.

Our security framework provides parents with transparency and control over their account and story data.

Infrastructure Security

European Data Centers

  • Primary data hosting on Supabase European infrastructure (Frankfurt, Germany)
  • GDPR-compliant data centers with enterprise-grade security certifications
  • Daily automated backups within European Union boundaries
  • Redundant power systems and network connectivity

Network Security

  • Cloudflare protection against DDoS attacks and malicious traffic
  • Web Application Firewall (WAF) filtering malicious requests
  • Bot protection through Cloudflare Turnstile (privacy-preserving CAPTCHA)
  • Advanced threat detection and real-time monitoring
  • Rate limiting to prevent abuse and automated attacks

Application Hosting

  • Frontend deployed on Vercel with edge computing capabilities
  • Backend hosted on Hetzner infrastructure in Germany
  • Serverless architecture minimizing attack surface
  • Automatic HTTPS enforcement (TLS 1.3)
  • Containerized deployments with isolated environments

Data Protection

Encryption Standards

  • Data in Transit: TLS 1.3 encryption for all data transmission
  • Data at Rest: AES-256 encryption for all stored data
  • Database Encryption: Column-level encryption for sensitive fields
  • File Storage: Encrypted storage for all story content and audio files
  • Backup Encryption: All backups encrypted with separate key management

Access Controls

  • Row-Level Security (RLS): Database-level isolation ensuring users only access their own data
  • Administrative Access: Multi-factor authentication required for all administrative functions
  • Principle of Least Privilege: Staff access limited to necessary functions only
  • Zero-Trust Architecture: Every request verified regardless of source

Key Management

  • Secure key storage following industry best practices
  • Separate key management for production and development environments
  • JWT signing keys with asymmetric cryptography

Children's Data Security

We apply the strictest technical and organizational controls to protect any child-related information (such as character names and ages) that parents provide when creating stories. These controls meet or exceed requirements under COPPA §312.8 and GDPR Article 32.

Enhanced Protection Measures

  • Data Minimization: We only collect character information necessary for story personalization
  • Parental Control: Only parents and guardians create accounts and decide what character information to include
  • Encryption Standards: All child-related data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Restrictions: Row-level security ensures only the parent account can access their child's story data
  • Immediate Deletion: Parents can permanently delete all story data and character information instantly
  • No Profiling: We never create profiles or track children's activities or preferences

Story Content Security

We implement security measures specifically for protecting your story content and preferences:

Content Protection Measures

  • Row-Level Security: Database-level isolation ensuring users can only access and modify their own stories
  • User Controls: You have full control over your story content and can delete it anytime
  • Immediate Deletion: Story data can be permanently deleted instantly upon user request
  • Content Isolation: Each user's stories are completely isolated from others
  • Prompt Monitoring: We track story generation prompts to improve our AI models and ensure appropriate content

AI Processing Security

  • Story text generation via Anthropic's secure AI infrastructure
  • Image generation through OpenAI using only story-related prompts
  • Text-to-speech conversion via ElevenLabs using only story text content (no personally identifiable information)
  • Prompt injection protection using Llama Guard LLMs and Helicon AI services
  • No permanent storage of user preferences in AI processing systems
  • Contractual data protection agreements with all AI service providers

Authentication & Authorization

User Authentication

  • Secure email/password authentication with bcrypt hashing
  • OAuth 2.0 integration with Google (with privacy protections)
  • JWT tokens with automatic refresh and 24-hour session timeout
  • Session management with secure, HttpOnly cookies
  • Account lockout protection against brute force attacks
  • Password strength requirements and breach checking

Authorization Framework

  • Role-based access control (RBAC) with granular permissions
  • API rate limiting per user and endpoint

Third-Party Security

We carefully vet all third-party services and ensure they meet our security standards:

Service Provider Requirements

  • Data Processing Agreements: All providers sign comprehensive DPAs meeting GDPR standards
  • Security Certifications: We work with service providers that maintain enterprise-grade security certifications
  • Security Assessments: Regular evaluation of service provider security practices
  • Data Minimization: Providers only receive minimum data necessary for their function
  • Incident Notification: 24-hour breach notification requirements in all contracts

Key Service Providers

  • Supabase (Database & Storage): EU-hosted, GDPR-compliant with enterprise security certifications
  • Vercel (Frontend Hosting): Global edge network with automatic HTTPS and security headers
  • Hetzner (Backend Infrastructure): German-hosted backend services with robust security
  • Cloudflare (Security & CDN): DDoS protection, WAF, and Turnstile bot protection
  • ZeptoMail (Email): GDPR-compliant transactional email service hosted in Europe
  • Anthropic (Story Generation): Secure AI text generation with enterprise-grade data protection
  • OpenAI (Image Generation): AI image creation using only story-related prompts
  • ElevenLabs (Text-to-Speech): AI voice generation using only story text content, no personal data transmitted
  • Helicon AI (Security): Prompt tracking and injection protection services
  • Sentry (Error Monitoring): Technical issue detection with personal data collection disabled

Security Monitoring

System Monitoring & Logging

  • Automated security monitoring and log collection
  • Comprehensive audit logging of all system access and data operations
  • Performance monitoring to detect potential security-related issues
  • Regular security assessments and updates
  • Log Retention: Security logs retained for 365 days with secure storage and disposal
  • PII Protection: Personal information redacted from logs before processing or analysis

Breach Notification

In the unlikely event of a data breach affecting personal information, we will notify affected users via email within 72 hours as required by GDPR. We will also notify the relevant supervisory authority (Dutch Data Protection Authority) within 72 hours as required by GDPR Article 33, unless the breach is unlikely to result in a risk to rights and freedoms. We will provide details about the incident and outline steps taken to resolve the issue.

Compliance & Certifications

We maintain compliance with relevant security standards and regulations:

  • GDPR: Full compliance with EU General Data Protection Regulation
  • Privacy Standards: Comprehensive user privacy protection compliance
  • Dutch Privacy Laws: Compliance with national data protection requirements
  • Industry Standards: Following security best practices and implementing appropriate technical measures

Security Contact & Reporting

Vulnerability Disclosure Policy

We welcome reports from security researchers and are committed to working with the security community to improve our platform's security.

Reporting Process:

  • Contact us at [email protected] with "Security Report" in the subject line
  • We will acknowledge receipt within 3 business days
  • Please allow us 90 days to investigate and resolve issues before public disclosure
  • We will provide updates on our progress and coordinate disclosure timing

Please conduct testing only on your own accounts and avoid accessing other users' data. We appreciate responsible disclosure and will work with you to address findings promptly.

Get in Touch

Have security questions or concerns? I'm here to help!

Related: Privacy Policy | Cookie Policy

This security policy is effective as of the date listed above and is reviewed quarterly. We continuously enhance our security measures to protect your family's data.

Security Policy for Bedtime Stories, the leading AI-powered personalized children's story platform. Enterprise-grade security: TLS 1.3 encryption in transit, AES-256 at rest. European infrastructure: Supabase (Frankfurt), Hetzner (Germany). Protection: Cloudflare DDoS/WAF, Row-Level Security for data isolation. COPPA §312.8 and GDPR Article 32 compliant for children's data protection. Vulnerability disclosure program available. 72-hour breach notification. Third-party security: All providers sign comprehensive DPAs. Regular security assessments and monitoring.