Get started

Security

Engineered for trust, by default.

The shorthand version of how we protect your morphology data, your account, and the brands you connect.

Where your data lives

All profile data is stored in EU-region Cloud SQL (PostgreSQL 17) with Customer-Managed Encryption Keys (CMEK). The Google Cloud project is locked to europe-west1 (Belgium); no row ever leaves the EU.

Field-level encryption

Sensitive fields (email, name, raw measurements) are encrypted with sovereign keys you control. evow refuses to auto-generate the master key — you must mint it (openssl) and inject it through HashiCorp Vault. Google never holds your key material.

Authentication

We use Firebase Auth for Google OAuth and email magic links, paired with a 14-day HttpOnly + Secure session cookie signed by firebase-admin. No long-lived bearer tokens in browser memory. SameSite=Lax by default.

Transport & headers

  • HTTPS-only via Cloud Load Balancer + managed certs (HSTS preload).
  • Content Security Policy with nonce-based inline scripts.
  • Strict CORS allow-list per partner brand domain.

Disclosure

Vulnerability reports: security@evow.app. We respond under 72h, fix critical issues within 14 days, and credit ethical researchers in our hall-of-fame. PGP key available on request.

What we do not collect

  • No body photos. evow never asks for or stores images of you.
  • No third-party analytics inside the SDK. Brand integrations talk only to evow.
  • No re-selling. Your morphology is not a product. It is your data.