Beside Care Security Policy and Vulnerability Disclosure Policy

This Security Policy and Vulnerability Disclosure Policy applies to Beside Care (the “Service”) operated by North Star Digital Labs, LLC (“Company,” “we,” “us,” “our”).

© 2026 North Star Digital Labs, LLC. All rights reserved. Beside Care is a brand of North Star Digital Labs, LLC.

1. Purpose

We take security seriously. This document explains our security approach and how to report vulnerabilities responsibly. This policy is informational and does not create any warranty or guarantee.

2. Security overview

A) Security principles

We design and operate the Service with a focus on:

• Least privilege: access is limited to what is needed
• Defense in depth: multiple layers of controls
• Data minimization: we keep and process only what is needed to provide the Service
• Auditability: logging and monitoring support troubleshooting and incident response

B) Media handling

• No raw video footage retention (normal operation): The Service is designed not to store or retain your raw video footage as part of normal operation. If a short clip is requested to generate a summary, it is processed and then discarded, subject to brief, transient technical handling required to transmit and process the data.
• Summaries retained long-term by default: We store summaries and event history long-term by default so users can review history, trends, and context. Users may delete summaries and request account deletion, subject to limited legal, security, and backup retention.

C) Safeguards

We use reasonable administrative, technical, and organizational safeguards designed to protect information, which may include:

• Encryption in transit (HTTPS/TLS)
• Secure authentication and session protections
• Secure handling of tokens, API keys, and secrets
• Access controls and least-privilege administrative access
• Logging and monitoring for security and reliability
• Secure development practices (testing, dependency management, code review where appropriate)
• Vendor selection and configuration practices designed to support confidentiality and integrity

No system is perfectly secure. We continuously improve and respond to emerging threats.

D) Third-party services and integrations

The Service may rely on third-party services (for example, connected providers, infrastructure, notifications, and AI processing). We work to integrate these services securely, but we cannot guarantee their availability or security posture. Third-party services are governed by their own terms and policies.

3. Reporting security issues

If you suspect unauthorized access, suspicious activity, or a security issue, contact: security@besidecare.com

Please include as much detail as possible, including relevant times, affected account email (if applicable), and any screenshots or logs.

4. Vulnerability Disclosure Policy

We welcome reports of security vulnerabilities and support good-faith, coordinated disclosure.

A) How to report a vulnerability

Email: security@besidecare.com

Subject: Security Vulnerability Report

Please include:

• A description of the issue and potential impact
• Steps to reproduce
• Affected URLs, endpoints, or app screens
• Proof of concept (if available and safe)
• Your contact information for follow-up

B) Scope

This policy applies to:

• besidecare.com and subdomains controlled by the Company
• Beside Care mobile applications distributed by the Company
• Beside Care backend services and APIs operated by the Company

Out of scope: Third-party services we do not control (including connected provider platforms themselves), unless the issue is caused by our integration code or configuration.

C) Rules of engagement (permitted research)

We authorize good-faith testing that:

• Is limited to accounts and data you own or are explicitly authorized to test
• Avoids service disruption and respects user privacy
• Uses the minimum testing necessary to validate the issue

If you inadvertently access data that is not yours, stop immediately and report what happened without retaining or further accessing the data.

D) Prohibited activities

The following are not authorized:

• Denial of service (DoS/DDoS), load testing, or actions that degrade availability
• Social engineering, phishing, or physical security testing of employees, contractors, users, or facilities
• Accessing, modifying, exfiltrating, or deleting data that is not your own
• Testing that impacts other users without explicit permission
• Malware deployment, credential stuffing, brute-force attacks, or automated scanning at a volume that impacts systems
• Extortion, threats, or demands for payment

E) Coordinated disclosure expectations

We ask that you:

• Give us a reasonable opportunity to investigate and remediate before public disclosure
• Avoid publishing exploit code that could be used to harm users before a fix is available
• Coordinate timing of disclosure with us when possible

F) Our commitments

When we receive a report, we will:

• Acknowledge receipt within a reasonable timeframe
• Investigate in good faith and ask clarifying questions if needed
• Work to remediate confirmed vulnerabilities
• Communicate status updates when appropriate

We do not guarantee specific remediation timelines.

G) Safe harbor

We will not pursue legal action against you for good-faith security research that:

• Complies with this policy
• Avoids harm to users and the Service
• Does not involve unauthorized access to data, service disruption, or illegal activity

Safe harbor does not apply to prohibited activities, to actions that violate law, or to conduct that causes harm.

H) No bug bounty

Unless we explicitly announce a bug bounty program, we do not offer monetary rewards for reports.

5. Changes to this policy

We may update this document from time to time. Updates will be posted with a revised “Last updated” date.

6. Contact