Skip to content

Security at Bavua

Your screen content never touches our servers. Here's every detail of how we keep it that way.

Security Architecture

Zero-Knowledge Architecture

Screen content is encrypted on the host device and decrypted on the client. Bavua servers facilitate device discovery and billing only β€” they never process, store, or have access to your screen data.

End-to-End Encryption

All streaming data is encrypted with AES-256-GCM. Transport uses DTLS 1.3 over QUIC with perfect forward secrecy. Key exchange uses X25519 Diffie-Hellman, ensuring past sessions remain secure even if a key is compromised.

Peer-to-Peer by Default

On local networks, data flows directly between devices with no cloud involvement. Cross-network relay (Ultra tier) uses encrypted tunnels β€” the relay server handles encrypted bytes it cannot decrypt.

Minimal Data Collection

We collect only what's necessary: account info, device metadata (name, platform, online status), and session metrics (duration, latency averages). We never collect screen content, keystrokes, file contents, or browsing history.

Encryption Specifications

Component
Specification
Stream Encryption
AES-256-GCM
Transport Protocol
QUIC (RFC 9000)
Transport Security
DTLS 1.3
Key Exchange
X25519 Diffie-Hellman
Forward Secrecy
Per-session ephemeral keys
Authentication Tokens
HMAC-SHA256 JWT
Password Storage
bcrypt (12 rounds)
Webhook Verification
HMAC-SHA512

Certifications & Compliance

SOC 2 Type II

Certified

Annual audit of security, availability, and confidentiality controls by an independent firm.

GDPR

Compliant

Full compliance with the EU General Data Protection Regulation. Data processing agreements available.

POPIA

Compliant

Compliance with South Africa's Protection of Personal Information Act.

CCPA

Compliant

California Consumer Privacy Act compliance with data access and deletion support.

Security Practices

  • All API endpoints require authentication via JWT with 1-hour expiry
  • Refresh tokens are stored server-side with per-device tracking
  • Rate limiting on all endpoints (global, per-user, per-action)
  • HMAC-SHA512 webhook signature verification for Paystack
  • IP allowlisting for payment webhook origins
  • Input validation and sanitization on all user inputs
  • CORS with explicit origin allowlist
  • Security headers: HSTS, X-Frame-Options, CSP, Referrer-Policy
  • bcrypt password hashing with 12 salt rounds
  • Automated stale session cleanup and subscription expiry enforcement
  • Structured audit logging for all business events
  • Graceful shutdown with active session termination

Data Residency

South Africa (Primary)

Azure South Africa North

API, Database, CDN origin

Global CDN

Azure Static Web Apps

Web frontend, static assets

Enterprise customers can request custom data residency configurations. Contact security@bavua.co.za.

Responsible Disclosure

Found a security vulnerability? We take security seriously and appreciate your help keeping Bavua safe.

Please report security vulnerabilities to security@bavua.co.za. Include a description of the vulnerability, steps to reproduce, and potential impact.

We commit to acknowledging reports within 24 hours and providing a resolution timeline within 72 hours.