Wakeproof

Security Policy

Last updated: May 30, 2026

1. Our Commitment to Security

At Wakeproof (Guse LTDA), we take the security of our users' data seriously. We implement industry-standard security measures to protect your information from unauthorized access, disclosure, alteration, and destruction.

2. Security Measures

2.1 Data Encryption

  • TLS/SSL Encryption: All data transmitted between your device and our servers is encrypted using TLS 1.3
  • Password Storage: Passwords are hashed and salted; we never store plaintext passwords
  • Token Security: JWT authentication tokens are stored in the iOS Keychain

2.2 Access Controls

  • Least Privilege: Systems operate with minimal required permissions
  • Token Expiry: Authentication tokens expire automatically; sessions are cleaned up hourly
  • Face ID / Biometric Auth: Optional biometric login processed entirely on-device by iOS

2.3 Infrastructure Security

  • Cloud Infrastructure: Backend runs on Cloudflare Workers — globally distributed, DDoS-protected
  • Database: Cloudflare D1 (SQLite) with access restricted to authenticated requests only
  • File Storage: Cloudflare R2 with signed URLs for private file access
  • WAF: Cloudflare's Web Application Firewall is active on all endpoints

2.4 Application Security

  • Input Validation: All API inputs are validated with Zod schemas
  • CORS: Cross-Origin Resource Sharing is restricted to approved origins
  • Parameterized Queries: Drizzle ORM prevents SQL injection
  • Transport Security: HTTPS enforced on all endpoints

3. Data Protection

3.1 On-Device Processing

Several sensitive operations are processed entirely on your device and never sent to our servers:

  • Photo Verify alarm challenge (Apple Vision framework)
  • Sound level detection (microphone data)
  • Shake detection (accelerometer)
  • Face ID authentication

3.2 Data Retention and Deletion

  • Account data is deleted within 30 days of account closure
  • You can delete your account at any time: Settings → Account → Delete Account
  • Subscription records are retained for 7 years for legal/tax purposes

4. Incident Response

In the event of a security incident, we will:

  1. Detect and contain the incident to prevent further impact
  2. Investigate scope, cause, and affected data
  3. Notify affected users and relevant authorities within 72 hours (per GDPR) when required
  4. Remediate vulnerabilities and restore normal service
  5. Review and improve our processes

5. Your Security Responsibilities

Help keep your account secure by:

  • Using a strong, unique password
  • Enabling Face ID for quick, secure login
  • Not sharing your login credentials
  • Logging out of shared devices
  • Reporting suspicious activity immediately

6. Responsible Disclosure

If you discover a security vulnerability in our app or backend, please report it responsibly:

  • Email: contact@guseapp.com with subject "Security Vulnerability"
  • Include detailed steps to reproduce the issue
  • Allow us reasonable time to address it before public disclosure
  • Do not exploit the vulnerability beyond what is necessary to demonstrate it

We appreciate security researchers who help us improve. Responsible disclosures are acknowledged and we work to resolve them quickly.

7. Security Updates

We continuously monitor and improve our security practices. This policy is reviewed regularly to reflect our current security posture.

8. Contact

  • Security issues: contact@guseapp.com (subject: "Security")
  • Response time: We aim to acknowledge within 24 hours