← Back to Home

Security

Last Updated: November 16, 2025

Our Commitment to Security

At S.A.K.U.R.A., we take the security of your data seriously. Your wellness information is personal and sensitive, and we employ industry-standard security measures to protect it.

🧪 Beta Security Status: S.A.K.U.R.A. is currently in beta. We implement core security measures (encryption, authentication, access controls) but are still building enterprise features like automated backups, multi-region redundancy, and advanced monitoring. Use caution with sensitive wellness data during the beta period.

This page outlines our current security practices and what we do to keep your information safe.

1. Data Encryption

1.1 In Transit

  • HTTPS/TLS: All data transmitted between your device and our servers is encrypted using TLS 1.2+ protocols
  • Secure APIs: All third-party integrations use encrypted connections
  • Certificate Validation: We use valid SSL certificates to ensure secure connections

1.2 At Rest

  • Database Encryption: All data stored in our database is encrypted
  • Password Hashing: Passwords are hashed using bcrypt with salt rounds
  • Secure Storage: Files and images are stored securely on Google Cloud Storage

2. Authentication & Access Control

2.1 User Authentication

  • JWT Tokens: Secure token-based authentication with short expiration times
  • Refresh Tokens: Long-lived tokens stored securely for session persistence
  • Account Verification: Email verification for new accounts
  • Password Requirements: Minimum password complexity requirements

2.2 Access Controls

  • Role-Based Access: Users can only access their own data
  • API Authorization: All API requests require valid authentication tokens
  • Admin Restrictions: Administrative access is strictly limited and monitored

3. Infrastructure Security

3.1 Cloud Platform

  • Google Cloud Platform: Enterprise-grade security infrastructure for application hosting
  • Turso Database: LibSQL cloud database with end-to-end encryption
  • Google Cloud Storage: Secure storage for user files and images

3.2 Network Security

  • Firewalls: Network-level firewalls to prevent unauthorized access
  • Rate Limiting: API rate limits to prevent abuse
  • DDoS Protection: Basic protection through Google Cloud Platform

4. Application Security

4.1 Secure Development

  • Code Reviews: Regular security-focused code reviews
  • Dependency Scanning: Automated scanning for vulnerable dependencies
  • Input Validation: All user input is validated and sanitized
  • SQL Injection Prevention: Parameterized queries to prevent SQL injection

4.2 Security Testing

  • Dependency Monitoring: Automated scanning for vulnerable dependencies
  • Code Review: Security-focused code reviews before deployment
  • Error Monitoring: Real-time monitoring for security-related errors

5. Data Privacy & Compliance

5.1 GDPR Compliance

  • Data Minimization: We only collect data necessary for our services
  • Right to Access: Export your data at any time
  • Right to Deletion: Delete your account and all data permanently
  • Consent Management: Clear consent for data collection and processing

5.2 Data Retention

  • Active Accounts: Data retained while account is active
  • Deleted Accounts: Data permanently deleted within 30 days
  • Log Data: System logs retained for security and debugging purposes

6. Third-Party Services

We carefully vet all third-party services for security:

  • Google Gemini AI: Enterprise-grade security and privacy controls
  • Google Cloud Storage: SOC 2/3, ISO 27001 certified
  • Turso Database: End-to-end encryption for data at rest and in transit
  • Wearable Device APIs: Secure OAuth 2.0 authentication

Note: While we ensure secure transmission to third parties, we cannot control their internal security practices. Please review their security policies.

7. Security Incident Response

In the event of a security incident:

  • Immediate Action: We take immediate steps to contain and mitigate the incident
  • Investigation: Thorough investigation to understand scope and impact
  • User Notification: Affected users are notified within 72 hours (GDPR requirement)
  • Remediation: Implement fixes to prevent future incidents
  • Transparency: Provide clear communication about what happened and our response

8. Security Best Practices for Users

You can help keep your account secure by:

  • Strong Passwords: Use unique, complex passwords (12+ characters with mixed case, numbers, symbols)
  • Don't Share Credentials: Never share your password or account with others
  • Secure Devices: Keep your devices and browsers up to date
  • Recognize Phishing: Be cautious of suspicious emails claiming to be from S.A.K.U.R.A.
  • Report Suspicious Activity: Contact us immediately if you notice unusual account activity
  • Log Out: Log out when using shared or public devices

9. Responsible Disclosure

If you discover a security vulnerability in our service, please report it responsibly:

Email: hello@mysakura.ca

Subject Line: "Security Vulnerability Report"

Please include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact information (optional, for acknowledgment)

We appreciate responsible disclosure and will acknowledge all valid reports. We are committed to working with security researchers to verify and address vulnerabilities promptly.

10. Questions About Security

If you have questions about our security practices, please contact us:

Email: hello@mysakura.ca

Privacy PolicyTerms of ServiceContact Us