Cureva
Features Pricing Blog
Download App
Healthcare-Grade Security

Your health data is
safe with us.

We built Cureva with security as the foundation — not an afterthought. Here is exactly how we protect your information.

6
Security Layers
AES-256
Encryption Standard
0
Data Sold to Third Parties
PIPEDA
Canadian Compliant
Protection Architecture

Six layers of security

From the moment you open the app to the moment your data rests in our database — every step is protected.

📱

Secure Device Storage

Your login token is stored in your device's encrypted secure enclave — the same place banking apps store credentials. Never in plain storage.

🔑

Biometric Lock

Face ID or fingerprint required after 30 seconds in the background. Your data stays locked even if someone picks up your phone.

🔒

End-to-End HTTPS

All communication between your app and our servers uses TLS encryption. No plain-text data ever crosses the network.

🗄️

Encrypted Database

All data is encrypted at rest using AES-256. Your health records are isolated by account at the database level — other users cannot access your data architecturally.

⚙️

Hardened API

Our backend validates every request, limits login attempts, and enforces strict rate limits — blocking automated attacks before they can start.

👁️

Continuous Monitoring

Real-time error tracking detects anomalies instantly. No internal system details are ever exposed to the outside world.

Our Commitments

What we guarantee you

Clear commitments you can hold us to.

Your password is hashed before storage — we cannot see it, ever
We never sell, rent, or share your health data with advertisers
Your data is stored in Canada — SOC 2 Type II certified infrastructure
You can export or delete all your data at any time from the app
Eva processes your queries on secure servers — no context leaks
No third-party ad trackers or analytics embedded in the app
All code is reviewed for vulnerabilities before every release
We comply with PIPEDA — Canada's federal privacy law for health data
Technical Standards

For the technically curious

Exact standards we implement — no marketing fluff.

ControlImplementationStatus
Password hashingbcrypt, cost factor 12 — industry standard for healthcareLIVE
Encryption at restAES-256 — Supabase managed, SOC 2 Type IILIVE
Transport encryptionTLS 1.3 — enforced at infrastructure level, no downgradeLIVE
Auth tokensJWT signed with 64-char secret, 7-day expiry, stored in OS secure enclaveLIVE
Login rate limiting5 attempts per 15 minutes per IP — auto-lockout after thresholdLIVE
Database isolationEvery query scoped to your user ID — cross-account access is architecturally impossibleLIVE
HTTP security headersCSP, HSTS 1-year preload, X-Frame-Options DENY, X-Content-Type nosniffLIVE
Input validationAll API inputs validated with strict schemas — malformed requests rejected before processingLIVE
Error handlingInternal errors logged server-side only — no stack traces returned to clientsLIVE
Regulatory compliancePIPEDA — data minimization, consent, access rights, breach notificationLIVE

Questions about your data?

Our team responds to all privacy and security inquiries within 48 hours.

Contact Privacy Team
Eva supports, tracks, and informs — she doesn't diagnose or prescribe. Your doctor makes the decisions. Eva makes sure you never miss the ones that matter.