Security is not a feature layer we added to Robopaw — it is the foundation it was built on. Every architectural decision, from on-device AI processing to encrypted local storage, was made with your family's privacy and safety as the first constraint.
Our Security Principles
🔒
On-Device First
All sensitive AI processing — camera, thermal, audio — runs entirely on the device. Raw sensor data never leaves your home network.
🛡️
Zero Cloud Storage
We do not store video, audio, floor maps, or biometric data on any external server. There is nothing to breach because there is nothing to store.
🔐
End-to-End Encryption
All communication between the Device and App uses TLS 1.3. On-device storage is encrypted with AES-256 and accessible only via your authenticated session.
🔍
Minimal Data Footprint
Our cloud systems hold only what is necessary: your account credentials, membership status, and opt-in diagnostic data. Nothing more.
Device Security
Secure Boot
Every Robopaw unit uses a verified boot chain. The firmware is cryptographically signed by Robopaw AI Systems, and the device will refuse to execute any unsigned or modified code at startup.
Local Storage Encryption
- All data stored on the device (SLAM maps, session logs, alert history) is encrypted with AES-256
- Encryption keys are derived from your account credentials and stored in the device's secure enclave
- A factory reset permanently destroys all encryption keys, making data unrecoverable
Physical Tamper Detection
- The device detects attempts to open the chassis and will automatically wipe the secure enclave
- Hardware debugging interfaces (JTAG/UART) are disabled in production firmware
Network Isolation
Robopaw operates on your local Wi-Fi network. The device does not require internet access for its core safety functions — monitoring, mapping, and alerting continue to operate during internet outages. Internet connectivity is used only for app communication, OTA updates, and optional diagnostic reporting.
Application Security
Authentication
- Accounts require a strong password (minimum 12 characters)
- Two-factor authentication (2FA) is available and strongly recommended
- All sessions use short-lived signed tokens; long-lived refresh tokens are rotated on every use
- After 5 failed login attempts, accounts are temporarily locked and the owner is notified by email
Data in Transit
- All API communication uses TLS 1.3 with modern cipher suites; TLS 1.0 and 1.1 are rejected
- Certificate pinning is enforced in the mobile app to prevent man-in-the-middle attacks
Data at Rest (Cloud)
- Account data stored in our cloud is encrypted at rest with AES-256
- Our infrastructure is hosted on SOC 2 Type II-compliant cloud providers
- Database access is restricted by role-based access control; no engineer has standing access to production data
Software Updates
Robopaw devices receive over-the-air (OTA) firmware and AI model updates automatically. Each update package is:
- Cryptographically signed with Robopaw's release key
- Verified on-device before installation
- Delivered over an encrypted channel
- Rolled back automatically if the update fails a post-install health check
Critical security patches are pushed as priority updates and applied during the next low-activity window without requiring manual intervention.
Third-Party Security
We conduct security due diligence on all third-party vendors who handle any data on our behalf. All vendors are bound by data processing agreements that restrict their use of data to the specific purpose for which it was shared. We conduct periodic reviews of vendor security posture.
We use the following categories of third-party services: payment processing, email delivery, cloud infrastructure, and crash reporting. None of these services receive sensor or biometric data.
Responsible Disclosure
Report a Vulnerability
We welcome security researchers and the broader community to help us keep Robopaw safe. If you discover a potential security vulnerability, please report it to us responsibly before public disclosure.
Contact: security@robopaw.ai
We will acknowledge your report within 48 hours, work with you to understand the issue, and provide a timeline for resolution. We ask for a 90-day window to address reported vulnerabilities before public disclosure. We do not take legal action against good-faith security researchers.
Scope
- Robopaw mobile application (iOS and Android)
- Robopaw device firmware and local API
- Robopaw web properties (robopaw.ai and subdomains)
- Account authentication and session management
Out of Scope
- Denial-of-service attacks against our infrastructure
- Social engineering of Robopaw employees
- Vulnerabilities in third-party services we use
Incident Response
In the event of a security incident that affects your data, we will:
- Notify affected users by email within 72 hours of discovery, as required by applicable law
- Describe the nature of the breach, what data was affected, and what steps we are taking
- Provide guidance on any protective action you should take
- Publish a post-incident report once the issue is fully resolved
Contact the Security Team
For security-related inquiries, vulnerability reports, or questions about our security practices:
For general privacy questions, see our Privacy Policy. For legal matters, see our Terms of Service.