Security
Effective July 14, 2026
Programs trust KidTally with sensitive information about children and families. Here's how we protect it — and an honest account of where we are.
- Encrypted in transit and at rest
- Role-based staff access
- Full, immutable audit log
- We never sell family data
- US-hosted infrastructure
Encryption
Data is encrypted in transit (TLS) and at rest. Sensitive credentials are never stored in plain text.
Access control
Staff access is role-based — owners and admins manage the roster and settings; staff can run check-in/out and roll calls. The parent status page is reachable only through an unguessable, per-child link and is never indexed by search engines.
Audit log
Every safety-relevant action — check-outs, custody overrides, pickup codes, roll calls — is written to an append-only audit log that records who did what and when. The audit trail is a core feature, not an afterthought.
Hosting & backups
KidTallyruns on US-hosted, reputable cloud infrastructure with managed backups. We isolate each program's data so one program can never see another's.
Honest compliance posture
We do not display certifications we don't hold. We're a new product and are building toward formal attestations over time; we align our practices with childcare recordkeeping needs and will say plainly when a certification is in progress or complete.
Reporting a vulnerability
Found a security issue? Please email security@kidtally.app and give us a chance to fix it before public disclosure. We appreciate responsible reports.