Security & Updates

Stovyn devices receive over-the-air firmware updates over Wi-Fi. We commit to delivering security updates for each Stovyn hardware revision for a minimum support window measured from the device's first ship date:

This commitment is subject to events outside our reasonable control (component obsolescence, regulatory mandate, force majeure). The mobile applications and website dashboard are continuously maintained and not subject to a fixed support window.

We welcome reports of security vulnerabilities from the security research community. If you believe you have found a security issue in a Stovyn device, the firmware, the mobile applications, the website, or our cloud services, please report it confidentially:

Safe harbor

If you make a good-faith effort to follow this policy, we will:

• --not pursue or support legal action against you under the Computer Fraud and Abuse Act, the DMCA, or analogous laws in your jurisdiction;
• --work with you to understand and resolve the issue promptly;
• --credit you publicly in our security acknowledgements (with your permission).

Out of scope: social engineering attacks against employees, denial-of-service against production systems, physical attacks, vulnerabilities in third-party services we depend on (please report those to the third party), and disclosure of issues without giving us a reasonable opportunity to remediate (we ask for at least 90 days unless the issue is being actively exploited).

• ·Transport encryption: all device-to-cloud and app-to-cloud traffic uses TLS 1.2+ in transit.
• ·Device authentication: Stovyn firmware authenticates to our cloud with a per-device secret (SHA-256 hashed at rest); customer JWTs are never trusted for device writes.
• ·Data minimization: camera frames on the Pro model are processed locally on-device. Image bytes are not transmitted to our cloud. Only status, capture counts, and snapshot metadata are sent during cloud heartbeats.
• ·Database isolation: our cloud database enforces row-level security so each customer can only read their own device records.
• ·Code-signed firmware: over-the-air updates are signed and validated by the device before flashing to prevent rogue firmware.

If we determine that personal information has been improperly accessed, we will notify affected customers and applicable regulators within the timeframes required by law in your jurisdiction:

• --United States: per state breach-notification laws (most states require notice "without unreasonable delay").
• --Canada: per PIPEDA and Quebec Law 25 (notice to customers and regulators "as soon as feasible").
• --Mexico: per LFPDPPP (notice to data subjects without delay if there is significant harm).
• --India: per the Digital Personal Data Protection Act, 2023 (notice to the Data Protection Board and affected individuals).

No Stovyn hardware revision is currently end-of-life. EOL notices, when issued, will be posted here at least 12 months in advance, identifying the hardware revision and the last security-update date. After EOL, the device will continue to operate but will no longer receive new security patches; we will continue to operate the cloud services for paired EOL devices for at least 12 additional months unless safety or legal obligations require an earlier shutdown.