Where your data lives
- Database: Neon PostgreSQL on AWS, automatic backups, point-in-time recovery.
- Media storage: Cloudflare R2, tenant-scoped object paths (one daycare can't enumerate another's files).
- App + API: Fly.io, US-region by default.
How we protect your data
Built to keep kids’ data safe.
An honest summary of how we handle the information you put in. Everything listed is in production today — not on a roadmap.
Authentication
- Email + password with Argon2id hashing.
- Email verification required before first sign-in (no accounts on typo'd addresses).
- Login rate-limited per IP; consecutive failures lock the account for 15 minutes.
- JWT access tokens (15 min) + refresh tokens (7 days). Refresh tokens are httpOnly cookies.
- Child access codes are rate-limited per IP and auto-rotated after 20 successful lookups.
Tenant isolation
- Every read query is scoped to the caller's daycare_id at the API layer.
- Parent reads are further filtered to children they have an approved link to.
- Cross-daycare access is hidden as 404 (existence-hidden), not 403, to avoid leaking which records exist.
Auditability
- Incident reports are locked after parent acknowledgement.
- Medication administrations are immutable. Corrections require admin delete + re-create.
- Platform admin impersonation writes a separate audit log row; tokens carry an impersonator claim.
- Webhook payloads are HMAC-verified against the provider's shared secret before any DB write.
What we don’t do (yet)
- SOC 2 attestation — planned for after the first 10 paying daycares.
- SAML SSO — available on the Scale plan on request, otherwise on the roadmap.
- At-rest encryption of fields beyond Neon’s default disk encryption.
Questions? Email support@shommyxedu.com. We answer in plain language.