Security Policy

Last updated: August 4, 2025

Security Commitment

At Bedtime Stories Inc, security is not just a feature—it's the foundation of our service. We've built our platform with multiple layers of protection to safeguard your account information and story content.

Our security framework provides parents with transparency and control over their account and story data.

Infrastructure Security

European Data Centers

  • Primary data hosting on Supabase European infrastructure (Frankfurt, Germany)
  • GDPR-compliant data centers with enterprise-grade security certifications
  • Daily automated backups within European Union boundaries
  • Redundant power systems and network connectivity

Network Security

  • Cloudflare protection against DDoS attacks and malicious traffic
  • Web Application Firewall (WAF) filtering malicious requests
  • Bot protection through Cloudflare Turnstile (privacy-preserving CAPTCHA)
  • Advanced threat detection and real-time monitoring
  • Rate limiting to prevent abuse and automated attacks

Application Hosting

  • Frontend deployed on Vercel with edge computing capabilities
  • Backend hosted on Hetzner infrastructure in Germany
  • Serverless architecture minimizing attack surface
  • Automatic HTTPS enforcement (TLS 1.3)
  • Containerized deployments with isolated environments

Data Protection

Encryption Standards

  • Data in Transit: TLS 1.3 encryption for all data transmission
  • Data at Rest: AES-256 encryption for all stored data
  • Database Encryption: Column-level encryption for sensitive fields
  • File Storage: Encrypted storage for all story content and audio files
  • Backup Encryption: All backups encrypted with separate key management

Access Controls

  • Row-Level Security (RLS): Database-level isolation ensuring users only access their own data
  • Administrative Access: Multi-factor authentication required for all administrative functions
  • Principle of Least Privilege: Staff access limited to necessary functions only
  • Zero-Trust Architecture: Every request verified regardless of source

Key Management

  • Secure key storage following industry best practices
  • Separate key management for production and development environments
  • JWT signing keys with asymmetric cryptography

Children's Data Security

We apply the strictest technical and organizational controls to protect any child-related information (such as character names and ages) that parents provide when creating stories. These controls meet or exceed requirements under COPPA §312.8 and GDPR Article 32.

Enhanced Protection Measures

  • Data Minimization: We only collect character information necessary for story personalization
  • Parental Control: Only parents/guardians create accounts and decide what character information to include
  • Encryption Standards: All child-related data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Restrictions: Row-level security ensures only the parent account can access their child's story data
  • Immediate Deletion: Parents can permanently delete all story data and character information instantly
  • No Profiling: We never create profiles or track children's activities or preferences

Story Content Security

We implement security measures specifically for protecting your story content and preferences:

Content Protection Measures

  • Row-Level Security: Database-level isolation ensuring users can only access and modify their own stories
  • User Controls: You have full control over your story content and can delete it anytime
  • Immediate Deletion: Story data can be permanently deleted instantly upon user request
  • Content Isolation: Each user's stories are completely isolated from others
  • Prompt Monitoring: We track story generation prompts to improve our AI models and ensure appropriate content

AI Processing Security

  • Story text generation via Anthropic's secure AI infrastructure
  • Image generation through OpenAI using only story-related prompts
  • Text-to-speech conversion via ElevenLabs using only story text content (no personal identifiable information)
  • Prompt injection protection using Llama Guard LLMs and Helicon AI services
  • No permanent storage of user preferences in AI processing systems
  • Contractual data protection agreements with all AI service providers

Authentication & Authorization

User Authentication

  • Secure email/password authentication with bcrypt hashing
  • OAuth 2.0 integration with Google (with privacy protections)
  • JWT tokens with automatic refresh and 24-hour session timeout
  • Session management with secure, HttpOnly cookies
  • Account lockout protection against brute force attacks
  • Password strength requirements and breach checking

Authorization Framework

  • Role-based access control (RBAC) with granular permissions
  • API rate limiting per user and endpoint
  • Automatic session timeout for inactive users (24 hours)

Third-Party Security

We carefully vet all third-party services and ensure they meet our security standards:

Service Provider Requirements

  • Data Processing Agreements: All providers sign comprehensive DPAs meeting GDPR standards
  • Security Certifications: We work with service providers that maintain enterprise-grade security certifications
  • Security Assessments: Regular evaluation of service provider security practices
  • Data Minimization: Providers only receive minimum data necessary for their function
  • Incident Notification: 24-hour breach notification requirements in all contracts

Key Service Providers

Supabase (Database & Storage): EU-hosted, GDPR-compliant with enterprise security certifications

Vercel (Frontend Hosting): Global edge network with automatic HTTPS and security headers

Hetzner (Backend Infrastructure): German-hosted backend services with robust security

Cloudflare (Security & CDN): DDoS protection, WAF, and Turnstile bot protection

ZeptoMail (Email): GDPR-compliant transactional email service hosted in Europe

Anthropic (Story Generation): Secure AI text generation with enterprise-grade data protection

OpenAI (Image Generation): AI image creation using only story-related prompts

ElevenLabs (Text-to-Speech): AI voice generation using only story text content, no personal data transmitted

Helicon AI (Security): Prompt tracking and injection protection services

Security Monitoring

System Monitoring & Logging

  • Automated security monitoring and log collection
  • Comprehensive audit logging of all system access and data operations
  • Performance monitoring to detect potential security-related issues
  • Regular security assessments and updates
  • Log Retention: Security logs retained for 365 days with secure storage and disposal
  • PII Protection: Personal information redacted from logs before processing or analysis

Breach Notification

In the unlikely event of a data breach affecting personal information, we will notify affected users via email within 72 hours as required by GDPR. We will also notify the relevant supervisory authority (Dutch Data Protection Authority) within 72 hours as required by GDPR Article 33, unless the breach is unlikely to result in a risk to rights and freedoms. We will provide details about the incident and outline steps taken to resolve the issue.

Compliance & Certifications

We maintain compliance with relevant security standards and regulations:

  • GDPR: Full compliance with EU General Data Protection Regulation
  • Privacy Standards: Comprehensive user privacy protection compliance
  • Dutch Privacy Laws: Compliance with national data protection requirements
  • Industry Standards: Following security best practices and implementing appropriate technical measures

Security Contact & Reporting

For security-related inquiries, vulnerability reports, or incident reporting, please contact us:

Email Us

hello@bedtime-stories.fun

Vulnerability Disclosure Policy

We welcome reports from security researchers and are committed to working with the security community to improve our platform's security.

Reporting Process:

  • Contact us at hello@bedtime-stories.fun with “Security Report” in the subject line
  • We will acknowledge receipt within 3 business days
  • Please allow us 90 days to investigate and resolve issues before public disclosure
  • We will provide updates on our progress and coordinate disclosure timing

Please conduct testing only on your own accounts and avoid accessing other users' data. We appreciate responsible disclosure and will work with you to address findings promptly.

This security policy is effective as of the date listed above and is reviewed quarterly. We continuously enhance our security measures to protect your family's data.