Trust & Safety

Security

Last updated June 27, 2026

Family history is sensitive. Here's what we do to protect it.

SSL on every connection

All traffic between your browser and Geneviva is encrypted with SSL/TLS. HTTPS is enforced — unencrypted connections are not accepted.

DDoS protection

Our hosting infrastructure includes network-level DDoS protection and CloudFlare integration for additional security and traffic filtering.

Authentication

Sign in with Google OAuth 2.0 or email and password. Passwords are hashed and never stored in plain text. Sessions use secure tokens.

Access control

Every request is authenticated and authorized server-side. You can only read or write data in trees you own or have been explicitly invited to.

Account isolation

Our hosting environment uses OS-level account isolation (CageFS/CloudLinux) so no other hosted application can access your data.

Malware scanning

Our infrastructure runs Imunify360, a proactive security suite that continuously scans for malware and blocks threats before they reach your data.

Private by default

Trees are not discoverable. There are no public profiles or search indexes. Access requires a direct invite from the tree owner.

Invite tokens

Invite links use cryptographically random tokens. Tokens are single-use and expire after acceptance. Revoked invites immediately lose access.

Backups

Our infrastructure runs daily offsite backups. If something goes wrong, your family tree data can be restored from the previous day's backup. We retain multiple backup generations.

Infrastructure

Geneviva is hosted on enterprise-grade hardware with NVMe storage and a 99.9% uptime SLA. Infrastructure is monitored continuously, 24/7/365. Our hosting provider operates data centers across multiple regions.

Employee access

Access to production data is restricted to a very small number of people and requires justification. We will never read your family tree content except to diagnose a technical issue you have explicitly asked us to investigate.

Third-party services

We use a minimal set of third-party services: Google (authentication) and our hosting provider (servers, storage, backups). We do not use advertising SDKs or analytics tools that have access to your family tree content.

Report a vulnerability

If you discover a security issue, please report it responsibly before disclosing publicly. We will respond within 48 hours and work with you to resolve it promptly.

Email: hello@genevia.app

We do not currently offer a bug bounty program, but we are grateful for responsible disclosures and will acknowledge your contribution.