Security & Updates

Stovyn devices receive over-the-air firmware updates over Wi-Fi. We commit to delivering security updates for each Stovyn hardware revision for a minimum support window measured from the device's first ship date:

This commitment is subject to events outside our reasonable control (component obsolescence, regulatory mandate, force majeure). The mobile apps and dashboard are continuously maintained, with no fixed support window.

We welcome security vulnerability reports from researchers. Found an issue in a Stovyn device, the firmware, our apps, website, or cloud services? Report it confidentially:

Safe harbor

If you make a good-faith effort to follow this policy, we will:

• --not pursue or support legal action against you under the Computer Fraud and Abuse Act, the DMCA, or analogous laws in your jurisdiction;
• --work with you to understand and resolve the issue promptly;
• --credit you publicly in our security acknowledgements (with your permission).

Out of scope: social engineering against employees, denial-of-service against production systems, physical attacks, and bugs in third-party services we rely on (report those to the third party). Also out of scope: disclosure before we have a reasonable chance to fix it (we ask for at least 90 days, unless it's being actively exploited).

• ·Transport encryption: all device-to-cloud and app-to-cloud traffic uses TLS 1.2+ in transit.
• ·Device authentication: Stovyn firmware authenticates to our cloud with a per-device secret (SHA-256 hashed at rest); customer JWTs are never trusted for device writes.
• ·Data minimization: the Pro camera is event-triggered. Snapshots go to our cloud AI provider for risk analysis and are not retained by us; we store only the detection result, capture counts, and metadata. Thermal sensing never sends images.
• ·Database isolation: our cloud database enforces row-level security so each customer can only read their own device records.
• ·Code-signed firmware: over-the-air updates are signed and validated by the device before flashing to prevent rogue firmware.

If we determine that personal information has been improperly accessed, we will notify affected customers and applicable regulators within the timeframes required by law in your jurisdiction:

• --United States: per state breach-notification laws (most states require notice "without unreasonable delay").
• --Canada: per PIPEDA and Quebec Law 25 (notice to customers and regulators "as soon as feasible").
• --Mexico: per LFPDPPP (notice to data subjects without delay if there is significant harm).
• --India: per the Digital Personal Data Protection Act, 2023 (notice to the Data Protection Board and affected individuals).

No Stovyn hardware revision is currently end-of-life. When issued, EOL notices appear here at least 12 months in advance, naming the hardware revision and last security-update date. After EOL, the device keeps working but gets no new security patches. We keep cloud services running for paired EOL devices for at least 12 more months, unless safety or legal obligations require an earlier shutdown.