ævio

Security Policy

How we protect your vault — and how to tell us when something looks off.

Last updated: May 6, 2026

Aevio Health holds your meals, training, supplements, biometric history, and uploaded medical documents. That data deserves a security posture that takes itself seriously. This page describes what we do, what we ask of you, and how to report issues.

Our security practices

Aevio Health is built on a small, auditable surface. We rely on battle-tested managed infrastructure and enforce defense-in-depth at every layer.

  • TLS 1.3 for all connections, HSTS preloaded
  • AES-256-GCM at-rest encryption for OAuth refresh tokens
  • Magic-link signin — we never store passwords
  • Row-level access controls on every user-scoped table
  • Strict access boundaries enforced at signin, OAuth flows, and MCP JWT verify
  • JWT verification via JWKS for MCP requests
  • Rate limiting per-user and per-IP on all public endpoints
  • Refresh-token rotation on every use, with replay detection

Data protection

Sensitive data is encrypted in transit and at rest. Database access is restricted to the application service role; ad-hoc queries route through audited admin tools.

  • All inbound and outbound traffic encrypted with TLS 1.3
  • Sensitive secrets stored in our hosting platform's encrypted env store
  • OAuth tokens encrypted before reaching the database
  • Sessions secured with HTTP-only, SameSite=Lax cookies
  • Third-party integrations gated through OAuth with explicit consent
  • Daily cleanup of expired auth artifacts (state codes, sessions)

About OAuth tokens for the wearables you connect:

Refresh tokens are encrypted with AES-256-GCM using a master key held in our hosting platform's encrypted env store. The decryption key never touches the database. Tokens rotate on every use; if a refresh token is presented twice, the entire integration is revoked and you are notified.

Authentication and access

Authentication is enforced at every boundary: signin, OAuth login, OAuth callback, and MCP JWT verification. Requests that do not match the expected scope or audience are rejected before reaching any user data. Per-tenant Row Level Security policies isolate data at the database layer.

Reporting vulnerabilities

We welcome reports from the security community. We do not currently run a paid bug bounty, but we will publicly credit researchers (with consent) for valid findings.

How to report:

  • Email security@aevio.health (PGP optional, on request)
  • Include a clear description, impact, and reproduction steps
  • Provide proof-of-concept code or HTTP traces if relevant
  • Allow us reasonable time to investigate and remediate
  • Do not exfiltrate user data or pivot beyond what's needed for the proof
  • Do not publicly disclose until we've shipped a fix

Our machine-readable contact is published at /.well-known/security.txt.

Your responsibilities

Security is a shared concern. The platform handles the engineering side; you handle the human side.

  • Use a unique email address protected by 2FA
  • Treat magic links as sensitive — do not forward them
  • Revoke OAuth integrations you no longer use
  • Log out from shared or temporarily-trusted devices
  • Report suspicious activity at the first sign

Security updates and incident notification

We continuously monitor and improve our security posture. When we identify issues, we ship fixes quickly and coordinate disclosure with the reporter. For incidents that may affect your account or data, we will notify you by email without undue delay and no later than 72 hours after becoming aware, in line with GDPR Article 33.

Contact us

For security reports, write to security@aevio.health. For privacy questions, see our Privacy Policy.