Security & Data Protection
This document describes QBod's security practices and technical safeguards for protecting your data. It is provided for transparency and applies to employees, contractors, and service providers.
1. Policy Scope and Purpose
1.1 Purpose
This Security & Data Protection Policy establishes the technical and organizational measures QBod LLC implements to protect user data, ensure system integrity, and maintain regulatory compliance.
1.2 Applicability
This Policy applies to:
- All QBod employees, contractors, and third-party vendors
- All systems, applications, and infrastructure processing QBod data
- All user data collected through the QBod Services
2. Data Classification
2.1 Sensitive Health Data
While QBod is not a HIPAA-covered entity, we treat the following as sensitive health data:
- Personal health metrics (weight, height, BMI, body composition)
- Medical conditions and health history (user-provided)
- Exercise performance data and injury history
- Dietary restrictions and nutrition logs
- Mental health data (stress, sleep, recovery)
Protection Level: Highest (AES-256 encryption, strict access controls, audit logging)
2.2 Personal Identifiable Information (PII)
- Name, email address, date of birth
- Device identifiers and IP addresses
- Account credentials and authentication tokens
Protection Level: High (TLS 1.3 encryption, hashed passwords, role-based access)
3. Encryption Standards
3.1 Data in Transit
- Protocol: TLS 1.3 (Transport Layer Security)
- Minimum Version: TLS 1.2 (for legacy compatibility)
- Cipher Suites: ECDHE-RSA-AES256-GCM-SHA384 and above
- HSTS: Enabled with 1-year max-age
3.2 Data at Rest
- Database Encryption: AES-256 encryption at rest (Supabase PostgreSQL)
- File Storage: AES-256 encryption (AWS S3 server-side encryption)
- Backup Encryption: AES-256 with separate encryption keys
- Key Management: AWS KMS (Key Management Service) for encryption key storage
3.3 End-to-End Encryption
- AI Conversations: Encrypted end-to-end between QBod and Google Gemini
- User Authentication: OAuth 2.0 tokens encrypted in transit
- Payment Data: Not stored by QBod; handled by third-party payment processors (PCI DSS compliant)
4. Authentication and Access Control
4.1 User Authentication
- Password Requirements: Minimum 8 characters, complexity enforced
- Password Storage: bcrypt hashing with unique salts (cost factor: 12)
- Session Tokens: JWT with 24-hour expiration, secure HttpOnly cookies
- OAuth Integration: Apple Sign-In and Google Sign-In (optional)
4.2 Internal Access Control
- Principle of Least Privilege: Employees have minimum necessary access
- Role-Based Access Control (RBAC): Defined roles (Engineer, Support, Admin)
- Access Logging: All database queries and admin actions logged with audit trail
- Access Review: Quarterly review of employee access permissions
5. Infrastructure Security
5.1 Cloud Infrastructure
- Providers: AWS (Amazon Web Services), Supabase (PostgreSQL)
- Regions: US-East-1 (primary), multi-region backups
- Network Security: Virtual Private Cloud (VPC) with security groups
- DDoS Protection: AWS Shield Standard (included)
- Firewall: Web Application Firewall (WAF) rules for common attack patterns
5.2 Application Security
- Input Validation: All user inputs validated and sanitized server-side
- SQL Injection Protection: Parameterized queries, no raw SQL execution
- XSS Protection: Content Security Policy (CSP) headers, output encoding
- CSRF Protection: Anti-CSRF tokens for all state-changing operations
- Rate Limiting: 100 requests/minute per user, 1000 requests/hour
5.3 Mobile Application Security
- Certificate Pinning: Prevents man-in-the-middle attacks
- Secure Storage: iOS Keychain and Android Keystore for sensitive data
- Code Obfuscation: Flutter obfuscation enabled for production builds
6. Backup and Disaster Recovery
6.1 Backup Strategy
- Frequency: Automated daily backups at 2:00 AM UTC
- Retention: 30 daily backups, 12 monthly backups, 7 yearly backups
- Encryption: AES-256 encryption for all backups
- Geographic Redundancy: Backups stored in separate AWS region (US-West-2)
- Testing: Monthly backup restoration tests
6.2 Disaster Recovery
- Recovery Time Objective (RTO): 4 hours (target)
- Recovery Point Objective (RPO): 24 hours (maximum data loss: 1 day)
- Failover Plan: Documented procedures for database and application failover
- Communication Plan: User notification within 2 hours of major outage
7. Incident Response
7.1 Security Incident Types
- Data Breach: Unauthorized access to user data
- System Compromise: Malware, hacking attempts, or unauthorized system access
- Denial of Service: DDoS attacks or service disruption
- Insider Threat: Employee or contractor misconduct
7.2 Incident Response Process
- Detection: 24/7 automated monitoring and alerting
- Containment: Immediate isolation of affected systems (within 1 hour)
- Investigation: Root cause analysis and forensic examination
- Remediation: Patch vulnerabilities, restore from clean backups
- Notification: User notification within 72 hours (GDPR requirement)
- Review: Post-incident review and security improvements
7.3 Breach Notification
If a data breach affects user data, QBod will:
- Notify affected users via email within 72 hours
- Notify relevant data protection authorities (EU: GDPR; US: state breach laws)
- Provide incident details, data affected, and remediation steps
8. Compliance
8.1 Current Compliance
- GDPR (General Data Protection Regulation): EU user data protection
- CCPA/CPRA (California Consumer Privacy Act): California residents
- Washington My Health My Data Act: Health data privacy for Washington residents
- EU-US Data Privacy Framework: International data transfers
8.2 Regular Audits
- Internal security audits: Quarterly
- Third-party penetration testing: Annually
- Compliance reviews: Annually
9. Third-Party Service Providers
9.1 Vendor Security Requirements
All third-party vendors must:
- Sign Business Associate Agreement (BAA) or Data Processing Agreement (DPA)
- Demonstrate SOC 2 or ISO 27001 certification (or equivalent)
- Undergo annual security review
- Provide breach notification within 24 hours
9.2 Current Service Providers
Google Gemini (AI Processing):
- Certification: EU-US Data Privacy Framework, SOC 2 Type II
- Data Retention: Processed for immediate response, not retained for training
Supabase (Database):
- Certification: SOC 2 Type II
- Encryption: AES-256 at rest, TLS 1.3 in transit
AWS (Infrastructure):
- Certification: SOC 2, ISO 27001, HIPAA eligible
- Security: VPC, security groups, CloudTrail audit logging
RevenueCat (Subscriptions):
- Certification: SOC 2 Type II
- Payment Processing: PCI DSS Level 1 compliant
- Data Minimization: QBod does not store payment card data
10. Contact Information
For security-related questions, concerns, or vulnerability reports:
Email: support@qbod.fit
Mailing Address: QBod LLC
For specific security requests, use subject lines:
- "Security Vulnerability Report" (responsible disclosure)
- "Security Inquiry" (general security questions)
- "Data Breach Report" (suspected breach notification)