Security

Last reviewed: 2026-04-26 · Version: 2026-04-26

CareBridger is a family caregiving product, so we treat the data you bring us as exactly as private as it is. The summaries below describe our posture; the underlying implementation is documented in our Architecture Decision Records.

Authentication and sessions

• Email + password using argon2id with a server-side pepper.
• Sessions live in HttpOnly cookies, server-side store, with a 24-hour idle and 30-day absolute expiry. WebAuthn is supported as a second factor.
• Optional 2FA challenge is required for sensitive actions (account deletion, key export).

Storage and transport

• All transport is TLS 1.3.
• Data lives on Cloudflare’s edge: D1 (SQLite) for relational state, KV for sessions and rate limits, R2 for blobs (avatars, export bundles).
• Backups: daily logical exports of D1 to R2 with object-lock and a quarterly restore drill.

Tenant isolation

Every account-scoped query goes through the ScopedRepository base, which enforces an account_id filter at the boundary. Inserts assert that the row’s account id matches the repository scope before the SQL is sent.

Vulnerability management

• SAST (Biome + eslint-security) on every PR.
• DAST (OWASP ZAP baseline) against preview deploys.
• Dependency scanning via Dependabot; secret scanning via gitleaks pre-commit and CI.
• Security incidents follow the runbook published in docs/runbook.md.

Reporting a vulnerability

Email security@carebridger.com. We acknowledge within one business day. We do not have a bug-bounty programme yet, but we are happy to credit responsible disclosure.