Skip to content
About / Security & Compliance

The architecture, not just the policy.

VitaLog stores special-category health data under GDPR Art. 9, the strictest tier. The pages below describe the encryption stack, sub-processors, and compliance posture that make that storage defensible. If anything below is unclear, vague, or missing, write to privacy@vitalog.io and we'll fix it.

Encryption

What's encrypted, and how.

AT REST

AES-256-GCM (server) + PBKDF2-wrapped keys (client)

All structured data lives in encrypted Postgres on Neon (TLS in flight, AES-256 at rest). Progress photos use client-side AES-256-GCM with PBKDF2-derived keys (100,000 iterations, per-user salt), the server never sees the plaintext, and we cannot decrypt them even under legal subpoena. Read the architecture →

IN FLIGHT

TLS 1.3, HSTS preloaded

Every request to vitalog.io is TLS 1.3 (Cloudflare-fronted), HSTS-preloaded, and CSP-locked to first-party origins. No third-party JS, no third-party fonts past the initial fonts.googleapis.com stylesheet, no analytics SDKs.

PASSWORDS

PBKDF2-SHA-256, 100k iterations, per-user salt

Industry-standard hashing. We never see your plaintext password. Sessions use httpOnly + SameSite=Strict cookies; CSRF tokens guard every state-changing endpoint.

BACKUPS

Daily encrypted snapshots, 30-day retention

Neon's point-in-time recovery snapshots. Encrypted at rest with separate keys; deletion of your account purges from the snapshots within the retention window. Privacy Policy §5 →

Where data lives

EU data residency. EU sub-processors.

VitaLog is operated under Swedish jurisdiction. All personal data is processed in the EU, on infrastructure operated by EU or GDPR-adequacy-decision providers. The complete sub-processor list:

VitaLog data flow User browser connects via Cloudflare to a Neon Postgres database in Frankfurt, with photos in R2 object storage and emails sent via Resend. Your browserPWA · offline-first Cloudflare edgeWorkers · TLS 1.3 Neon PostgresEU · Frankfurt R2 object storeEncrypted photos ResendTransactional email YouInbox
Where every byte goes. No third party not on this diagram. Photos are end-to-end encrypted before they leave your browser.
SP-01 · INFRASTRUCTURE

Cloudflare (Workers, Pages, R2, Durable Objects)

Application runtime, static asset hosting, encrypted object storage for photos, real-time sync coordinator. EU data-region pinned where supported. Cloudflare GDPR ↗

SP-02 · DATABASE

Neon (Postgres-as-a-service)

Primary application database. EU region (eu-central-1, Frankfurt). Encrypted at rest, TLS in flight, daily backups. Neon security ↗

SP-03 · TRANSACTIONAL EMAIL

Resend

Password resets, account verification, security notifications. Email content + recipient address only, never bundled with health data. Resend DPA ↗

SP-04 · BLOODWORK OCR

Anthropic (Claude Vision)

Image-to-text extraction for lab-report PDFs and photos. Image bytes only, processed in-request and not retained. SCC + Zero-Data-Retention DPA in place. Manual entry is always available as an alternative. Anthropic DPA ↗

PARTNERS PROGRAM

DPA on request

Clinics, coaches, and research collaborators can sign a Data Processing Agreement with us under GDPR Art. 28. Contact privacy@vitalog.io for the standard template.

If we add or change a sub-processor, this list updates and active users are notified at least 30 days in advance via in-app banner. We do not currently use any US-only sub-processors that would require transfer-impact assessments.

Compliance & oversight

GDPR & ePrivacy posture.

LAWFUL BASIS

Art. 6(1)(b) + Art. 9(2)(a)

Service performance for general processing; explicit consent for special-category health data. Research-program participation requires separate, specific opt-in (Art. 9(2)(j) once IRB-approved studies are running).

DATA-SUBJECT RIGHTS

Art. 15, 16, 17, 18, 20, 21

Access, rectification, erasure, restriction, portability, objection, all exercisable from inside the app (Settings → Privacy) or by emailing privacy@vitalog.io. Response within 30 days, free of charge for first request per year.

DPIA

Data Protection Impact Assessment on file

Special-category data + automated correlation analytics meets Art. 35's high-risk threshold. The DPIA covers risk identification, mitigation, residual risk, and the consultation requirement under Art. 36 if needed. Public summary available on request.

SUPERVISORY AUTHORITY

Sweden, IMY (Integritetsskyddsmyndigheten)

VitaLog operates under Swedish data-protection oversight. Any complaint about how we handle your data can be lodged with IMY directly. imy.se ↗

Vulnerability disclosure

Found something? Tell us.

We run a coordinated disclosure program with safe-harbor terms for good-faith research. Scope, response SLA, and PGP key on the dedicated disclosure page, also reachable via .well-known/security.txt.

Report a vulnerability → security.txt
Read more

Adjacent documents.

Privacy Policy →

Full GDPR Art. 13 disclosure: what we collect, why, retention, your rights.

Cookie Policy →

Every cookie, every localStorage key, purpose, retention, legal basis.

Terms of Service →

Eligibility (15+, Clean Mode for 15-17), acceptable use, limitation of liability.

Accessibility →

WCAG 2.2 conformance, EU EAA disclosure, known gaps, feedback channel.