Shield is built for families. Security is not a feature — it is the foundation. This page is a plain-language summary of the controls we operate. Technical details are available to auditors under NDA at security@shield.makewish.ai.
1. Tenant isolation
Shield is a multi-tenant platform. Every row in every database table carries a tenant_idand is protected by PostgreSQL Row-Level Security (RLS). Tenant context is set at the start of every authenticated request and is enforced at both the application layer and the database layer — belt and suspenders.
2. Passwords and sessions
Passwords are hashed with Argon2idusing memory cost 64 MiB, time cost 3, parallelism 4 — parameters tuned to match OWASP 2024 guidance. Sessions are issued as HTTP-only, Secure, SameSite=Lax cookies. Access tokens are never written to localStorage.
3. Transport and at-rest encryption
All traffic uses TLS 1.3 with HSTS, age 2 years, includeSubDomains preloaded. PostgreSQL volumes are encrypted at rest (AES-256). Backups are encrypted with customer-managed keys and stored in a separate region.
4. Edge protection
Shield sits behind Cloudflare WAF with managed OWASP rulesets, bot-score challenges, and DDoS L3/L4/L7 mitigation. Rate limits are applied per-IP and per-account on authentication, password reset, and AI chat endpoints.
5. Audit logging
Every privileged action (login, role change, data export, data deletion, Global Admin cross-tenant read) is written to an immutable audit log. Audit logs are retained for 24 hours in hot storage for real-time incident response and for 365 days in cold storage for compliance review.
6. AI safety
Before any prompt is sent to the Claude API, personal identifiers (child name, email, device ID) are tokenised to opaque labels (Child_A, Device_1). Responses are validated before display. The LLM never generates or executes SQL.
7. Vulnerability management
Code is scanned on every pull request by SonarQube (quality gate) and OWASP Dependency-Check. Images are scanned by Trivy in CI. Penetration testing is scheduled quarterly by an independent Indian CERT-In-empanelled firm.
8. Responsible disclosure
If you believe you have found a security issue in Shield, please report it privately to security@shield.makewish.ai. We aim to acknowledge within 48 hours and to fix confirmed high-severity issues within 14 days. We publicly credit researchers who follow responsible disclosure.
9. Contact
You may contact us about this page at: security@shield.makewish.ai.