Security Policy
Last updated: February 27, 2026Version: 1.0
Summary
At MB Bubba, the security of your personal data and our platform integrity are fundamental priorities. We implement technical and organizational measures in accordance with GDPR Article 32 and industry best practices — including TLS encryption, role-based access control, PCI-DSS Level 1 payment processing via Adyen, and SOC 2 / ISO 27001 certified infrastructure providers.
- Encryption
1.1 Data in Transit
All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (Transport Layer Security). This applies to:
- Website (bubba.pet) — served over HTTPS.
- Client and Console mobile apps — all API communication encrypted.
- Backend API calls — all internal service communication encrypted.
- Payment data — encrypted end-to-end between your device and Adyen's payment infrastructure.
1.2 Data at Rest
Data stored in our systems is encrypted at rest through our infrastructure providers:
- Database: Convex provides encryption at rest for all stored data using AES-256 or equivalent industry-standard encryption.
- File storage: Uploaded files (photos, documents) are stored with encryption at rest.
- Backups: Database backups maintained by Convex are encrypted.
1.3 Payment Data
We do not store raw credit card numbers, CVVs, or full payment credentials on our servers. All payment processing is handled by Adyen, which is PCI-DSS Level 1 certified — the highest level of payment security certification. Payment credentials are tokenized by Adyen before reaching our systems.
Your payment details never touch our servers. Adyen handles all sensitive payment data under PCI-DSS Level 1 — the highest certification level in the industry.
- Authentication and Access Control
2.1 User Authentication
We support multiple secure authentication methods:
| Method | Security features |
|---|---|
| Email and password | Passwords must be at least 8 characters; passwords are hashed using industry-standard algorithms (bcrypt); never stored in plain text |
| Google Sign-In | OAuth 2.0 with PKCE; delegated authentication — we never see your Google password |
| Apple Sign-In | OAuth 2.0; supports email relay for enhanced privacy |
| Passkeys (WebAuthn/FIDO2) | Phishing-resistant, passwordless authentication using public-key cryptography |
| Session management | Secure, HTTP-only session tokens; automatic session expiry |
2.2 Business Access Control
The Console app implements role-based access control (RBAC) for business partners:
| Role | Access level |
|---|---|
| Owner | Full access to all business data, settings, staff management, and financial data |
| Manager | Manage calendar, clients, services, reports; view staff and settings |
| Member | View own calendar, view client information, view services |
Custom role permissions can be configured per business to provide fine-grained access control following the principle of least privilege.
2.3 Administrative Access
Platform administrator access is restricted to authorized personnel and protected by:
- Multi-factor authentication.
- All administrative actions are logged in an immutable audit trail.
- Administrator accounts follow the principle of least privilege.
- Infrastructure Security
3.1 Hosting and Data Centers
| Provider | Role | Security certifications |
|---|---|---|
| Convex | Database, real-time engine, backend functions | SOC 2 Type II compliant infrastructure |
| Cloudflare | CDN, DDoS protection, DNS, WAF | ISO 27001, SOC 2 Type II, PCI-DSS |
| Adyen | Payment processing | PCI-DSS Level 1 |
3.2 Network Security
- DDoS protection: Cloudflare provides automatic DDoS mitigation at the network and application layers.
- Web Application Firewall (WAF): Cloudflare WAF protects against common web attacks (SQL injection, XSS, CSRF).
- Rate limiting: API endpoints implement rate limiting to prevent abuse and brute-force attacks.
- DNSSEC: DNS records are protected against spoofing and tampering.
3.3 Application Security
- Input validation: All user inputs are validated and sanitized on both client and server side.
- CORS policies: Cross-origin requests are restricted to authorized domains.
- Content Security Policy: CSP headers prevent XSS and injection attacks.
- Dependency monitoring: Third-party dependencies are regularly audited for known vulnerabilities.
- Data Protection Measures
4.1 Data Minimization
We collect only the personal data necessary for the stated purpose. Optional features (analytics, marketing) require explicit consent before any data is processed.
4.2 Data Segregation
- Business partner data is isolated — providers can only access data related to their own clients and bookings.
- Pet health data access is restricted to authorized users with an active service relationship.
- Administrative functions operate within defined permission boundaries.
4.3 Audit Logging
All significant actions on the platform are recorded in an audit trail:
- Consent changes — grants, withdrawals, and re-consents are logged immutably in the consent audit log.
- Data subject requests — all data export and deletion requests are tracked with timestamps, status, and deadlines.
- Business actions — booking modifications, staff changes, and financial operations are logged per business.
- Administrative actions — all admin platform actions are logged for compliance monitoring.
4.4 Backup and Recovery
- Automated backups: Database backups are performed automatically by our infrastructure provider (Convex).
- Recovery procedures: We maintain and periodically test recovery procedures to ensure data availability and integrity.
- Redundancy: Our infrastructure providers operate across multiple availability zones to minimize downtime.
- Incident Response
5.1 Incident Response Plan
Bubba maintains an incident response plan for handling security incidents and personal data breaches. The plan covers:
- Detection and identification — monitoring for security anomalies and potential breaches.
- Containment — immediate steps to limit the impact of an incident.
- Assessment — determining the scope, nature, and severity of the incident.
- Notification — fulfilling legal notification obligations (see Section 5.2).
- Remediation — resolving the root cause and implementing preventive measures.
- Post-incident review — documenting lessons learned and updating procedures.
5.2 Breach Notification
In the event of a confirmed personal data breach:
We will notify the Valstybinė duomenų apsaugos inspekcija (VDAI) within 72 hours per GDPR Art. 33, and affected users without undue delay per GDPR Art. 34 when the breach is likely to result in a high risk to their rights and freedoms.
- Supervisory authority: Notification within 72 hours per GDPR Art. 33.
- Affected users: If the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay per GDPR Art. 34, including:
- The nature of the breach.
- The likely consequences.
- Measures taken or proposed to address the breach.
- Recommendations for steps you can take to protect yourself.
- Vulnerability Reporting
We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to us:
6.1 Responsible Disclosure Guidelines
6.1.1 Do
- Provide sufficient detail for us to reproduce and fix the vulnerability.
- Allow reasonable time for us to address the issue before any public disclosure.
6.1.2 Don't
- Access, modify, or delete data belonging to other users.
- Perform actions that could disrupt platform availability (denial of service, excessive load testing).
- Use social engineering techniques against our staff or users.
6.1.3 Our Commitment
- Acknowledging receipt of your report within 2 business days.
- Providing an initial assessment within 5 business days.
- Keeping you informed about our progress in addressing the vulnerability.
- Not pursuing legal action against researchers who follow these guidelines.
- Security Certifications and Compliance
7.1 Current Status
Bubba does not currently hold independent security certifications (SOC 2, ISO 27001). Our security posture relies on the certifications of our infrastructure providers, GDPR Art. 32 measures, and regular security reviews.
- The certifications of our infrastructure providers (Convex, Cloudflare, Adyen).
- Implementation of GDPR Art. 32 technical and organizational measures.
- Regular security reviews and updates.
- Employee and Contractor Access
- Access to production systems and personal data is limited to authorized personnel on a need-to-know basis.
- All team members with data access are bound by confidentiality obligations.
- Access rights are reviewed periodically and revoked promptly when no longer needed.
- Production database access requires multi-factor authentication.
- Third-Party Security
All sub-processors and third-party service providers are evaluated for their security practices before engagement. Requirements include:
- Appropriate technical and organizational security measures.
- Data Processing Agreements (DPAs) compliant with GDPR Art. 28.
- Incident notification obligations.
- Regular review of sub-processor security posture.
For a complete list of sub-processors and their security details, see our Data Processing Agreement.
- Contact
For security-related inquiries or to report a vulnerability:
| Security | security@bubba.pet |
| Privacy | privacy@bubba.pet |
| Post | MB Bubba, Žirmūnų g. 57-50, LT-09110 Vilnius, Lithuania |
- Related Documents
- Privacy Policy — How we collect, use, and protect personal data.
- Data Processing Agreement — Sub-processor relationships and processing details.
- Your Data Rights (GDPR) — How to exercise your data protection rights.
- Cookie Policy — Cookies and tracking technologies.
This policy represents our current security practices and is reviewed periodically. We do not disclose specific technical implementation details that could compromise the security of our platform or users.