Third-party Services
Ouva relies on established third-party providers for hosting, data, billing, and media features. Some integrations are feature-dependent.
Netlify
Section titled “Netlify”Netlify hosts the frontend application and serves static assets through its global CDN.
- Encryption in transit: HTTPS (TLS 1.2+) for all CDN and asset delivery.
- Encryption at rest: Netlify encrypts data at rest using platform-managed encryption.
- Security: netlify.com/security
Supabase
Section titled “Supabase”Supabase provides authentication, PostgreSQL database APIs, realtime channels, and storage.
- Encryption in transit: TLS 1.2+ on all endpoints (HTTPS and WSS).
- Encryption at rest: AES-256 for all customer data, including database, storage, and backups. Sensitive information such as access tokens and keys are additionally encrypted at the application level.
- Compliance: SOC 2 Type 2 compliant. HIPAA compliant with a signed Business Associate Agreement (BAA).
- Backups: Daily backups with Point-in-Time Recovery available.
- Provider security program: Regular penetration testing, DDoS protection via Cloudflare, brute-force prevention with fail2ban, and other provider-managed platform controls.
- Security: supabase.com/security
Ouva supplements provider controls with application-level dependency scanning, static analysis, secret scanning, and risk-based remediation workflows. See Vulnerability Management Policy.
Stripe
Section titled “Stripe”Stripe powers subscriptions, checkout, and payment method management. Ouva does not store personal credit card information.
- Encryption in transit: TLS 1.2+ on all endpoints.
- Encryption at rest: Stripe encrypts all data at rest using AES-256.
- Compliance: PCI DSS Level 1 certified (highest level in the payments industry).
- Security: stripe.com/security
ElevenLabs (if enabled)
Section titled “ElevenLabs (if enabled)”ElevenLabs is used for text-to-speech generation in companion messaging workflows. Browser clients never contact ElevenLabs directly; all requests are routed through Ouva’s server-side edge functions.
- Encryption in transit: HTTPS (TLS 1.2+), server-side only.
- Security: elevenlabs.io/security
Google-hosted MediaPipe assets (camera scenes only)
Section titled “Google-hosted MediaPipe assets (camera scenes only)”Some camera-based scenes load MediaPipe model assets from Google-hosted endpoints at runtime. Assets are downloaded to the browser and processed on-device; no camera data is sent to these endpoints.
- Encryption in transit: HTTPS (TLS 1.2+) from
storage.googleapis.comandcdn.jsdelivr.net. - Documentation: ai.google.dev/edge/mediapipe
Optional Support Tools for Kiosk Deployments
Section titled “Optional Support Tools for Kiosk Deployments”Depending on facility policy, remote support tooling may be used for kiosk troubleshooting. Approved tools are deployment-specific and documented during onboarding.