Security
Last updated: March 14, 2026
Note: If these Terms, Policies, or Agreements are available in multiple languages, and any discrepancies exist between translations, the English version shall prevail.
BabySea is built with security as a core requirement, not an afterthought. This page summarises the controls in place across infrastructure, application, and data layers.
1. Infrastructure
BabySea operates three isolated data regions (US, EU, APAC) with no cross-region data synchronisation. All inbound traffic is protected by Cloudflare WAF and DDoS mitigation. API compute runs on Vercel edge functions, which are stateless and do not persist request data between invocations. See Data sovereignty for region-specific details.
2. Authentication and access
| Control | Detail |
|---|---|
| API key storage | bcrypt-hashed; plaintext is never persisted |
| Key permissions | Scoped at creation; cannot be escalated after issuance |
| IP allowlisting | Per-key IP allowlist enforced on all proxy routes |
| Key rotation | Configurable grace period; old key remains valid until expiry |
| Role-based access | Primary Owner / Owner / Member roles on team accounts |
3. Encryption
| Layer | Method |
|---|---|
| Transport | HTTPS enforced everywhere (Cloudflare + Vercel TLS) |
| Webhook secrets at rest | AES-256-GCM |
| IP addresses in logs | SHA-256 hashed before storage |
4. Application security
All API routes validate input against strict schemas before processing. Content Security Policy headers are set at the edge. Row-Level Security policies are enforced on all database tables. Deployment pipelines include automated checks to prevent accidental exposure of secrets.
5. Webhook security
Webhook payloads are signed with HMAC-SHA256 for integrity verification. Replay protection is enforced via timestamp validation. Each delivery carries a unique delivery ID for idempotency. Webhook signing secrets can be rotated at any time. See the webhook docs for verification examples.
6. Data retention and deletion
Retention windows are tier-based and enforced automatically. Deleting an account cascades to all associated data. DSAR (Data Subject Access Request) export is available as self-service through the My profile page via the Download my data action. See Data lifecycle for exact retention windows per plan.
7. Vendor security
All subprocessors are listed publicly. See List of subprocessors.
8. Responsible disclosure
Found a vulnerability? Please submit a report through our Support page or email connect@babysea.ai. We aim to acknowledge reports within 48 hours and will keep you informed as we work toward a fix. See our Acknowledgments page for recognized researchers.
9. Enterprise security and compliance
BabySea conducts periodic security assessments of its API gateway, authentication systems, financial logic, input validation, and infrastructure controls. Penetration testing is performed against production infrastructure. All subprocessors undergo documented vendor security due diligence per GDPR Art 28 requirements.
Enterprise customers with an active enterprise agreement may request the following under a mutual non-disclosure agreement:
- Annual security assessment summary.
- Penetration test summary.
- Vendor security assessment register.
- Custom uptime SLA with service credits.
- Dedicated support SLA with severity-based response commitments.
Assessment and audit sharing is governed by the audit provisions in the Data processing agreement. To discuss enterprise requirements, contact connect@babysea.ai.