We take security seriously. Here's proof.
Your pet's records, documents, and personal information deserve the same protection as your financial data. Here's exactly how we protect everything you store with us.
Encryption
In transit
Every connection between your browser and Seiton Paw is encrypted using TLS 1.3 — the same standard used by banks and major financial institutions. Unencrypted connections are rejected automatically.
At rest
All stored data — account information, pet records, trip details — is encrypted using AES-256-GCM. Documents you upload are stored in encrypted buckets with per-user access keys held in a hardware security module. Even our own engineers cannot read your documents without an explicit support ticket from you.
Access controls
Two-factor authentication
Available on all paid plans. We strongly recommend enabling it. Go to Settings → Security to turn it on.
Internal access
Our team's access to user data is role-based, logged, and audited. No engineer can access your account or documents without an explicit, time-limited authorization tied to a support request. Access logs are reviewed monthly.
Session management
Sessions expire automatically after inactivity. You can view and revoke all active sessions from Settings → Security at any time.
Infrastructure
Seiton Paw runs on Supabase and Vercel — both SOC 2 certified infrastructure providers with independent security audits. Our databases are hosted in the United States and European Union, with data residency determined by your account region. We do not run our own physical servers.
Compliance
SOC 2 Type I
Completed. Our Type II audit is currently in progress and expected to complete in Q4 2026.
GDPR
Fully compliant for EU users. You can export or delete all your data at any time from Settings → Data & Privacy.
LGPD
Compliant for Brazilian users under Brazil's Lei Geral de Proteção de Dados.
Responsible disclosure
Found a security vulnerability? We want to know. Email security@seitonpaw.com with a description of the issue and steps to reproduce it. We respond within 24 hours, pay bounties for valid reports, and will never take legal action against good-faith researchers. Full scope and bounty ranges are in our security.txt file.
Incident response
In the event of a data breach that affects your account, we will notify you by email within 72 hours — faster than required by GDPR. We will tell you what happened, what data was affected, and what we're doing about it. No vague corporate statements.