Trust & Security

    Last updated: May 13, 2026

    Sue the Souschef is operated by Guavalin LLC. We take the security and privacy of customer data seriously. This page summarizes our security posture and how to request our complete policy pack under a Data Processing Addendum.

    Program overview

    Sue's information security program is structured against the SOC 2 Trust Services Criteria (Security, Availability, Confidentiality). The program is governed by a documented Information Security Charter authorized by executive leadership, implemented by a subordinate Information Security Policy, an Incident Response Plan, a Business Continuity and Disaster Recovery Plan, and an AI Usage Policy. Each document is reviewed at least annually.

    Framework alignment

    • SOC 2 Trust Services Criteria — our internal policies are structured against the SOC 2 criteria for Security, Availability, and Confidentiality. We will evaluate third-party certification as we scale.
    • Sub-processor compliance — the infrastructure and AI providers we rely on hold independently audited certifications. Their reports are available to enterprise customers under NDA.
    • PCI DSS — out of scope. Sue does not process, store, or transmit payment card data. All payment flows are handled by Apple In-App Purchase and Google Play Billing.

    Data protection

    • All data in transit is encrypted with TLS 1.2 or higher.
    • All customer data at rest is encrypted with AES-256 by our managed database provider.
    • Customer data is segmented per user at the database layer with row-level security enforced by PostgreSQL itself, independent of application logic.
    • Account deletion cascades through all user-owned data on request, available from in-app settings.
    • See our Privacy Policy for full data handling detail and our AI Usage Policy for how AI features handle your data.

    Access control

    • Authentication uses Apple Sign-In (OIDC). Sue never receives your Apple password.
    • Sessions use short-lived JWTs with rotating refresh tokens.
    • Multi-factor authentication is required on every administrative console with production or personal-data access.
    • Service-role credentials are held server-side only and never exposed to mobile clients.

    Reporting a vulnerability

    If you believe you've found a security vulnerability in Sue the Souschef, please email us at security@guavalin.com. We respond to verified reports promptly and treat the reporter with discretion. We do not currently operate a paid bug-bounty program, but we acknowledge meaningful reports.

    Requesting policy documents

    The following documents are available to enterprise customers, partners, and prospective customers under a Data Processing Addendum or mutual NDA:

    • Information Security Charter
    • Information Security Policy
    • Incident Response Plan
    • Business Continuity and Disaster Recovery Plan
    • Data Flow Diagram
    • AI Usage Policy (with named sub-processor list)
    • Complete sub-processor inventory

    Request these documents by contacting security@guavalin.com.

    Material changes

    We notify enterprise customers in advance of material changes to our security posture, sub-processor list, or infrastructure, consistent with the terms of their Data Processing Addendum. Material changes to this Trust page are reflected with an updated “Last updated” date above.