Security

Effective July 14, 2026

Programs trust KidTally with sensitive information about children and families. Here's how we protect it — and an honest account of where we are.

  • Encrypted in transit and at rest
  • Role-based staff access
  • Full, immutable audit log
  • We never sell family data
  • US-hosted infrastructure

Encryption

Data is encrypted in transit (TLS) and at rest. Sensitive credentials are never stored in plain text.

Access control

Staff access is role-based — owners and admins manage the roster and settings; staff can run check-in/out and roll calls. The parent status page is reachable only through an unguessable, per-child link and is never indexed by search engines.

Audit log

Every safety-relevant action — check-outs, custody overrides, pickup codes, roll calls — is written to an append-only audit log that records who did what and when. The audit trail is a core feature, not an afterthought.

Hosting & backups

KidTallyruns on US-hosted, reputable cloud infrastructure with managed backups. We isolate each program's data so one program can never see another's.

Honest compliance posture

We do not display certifications we don't hold. We're a new product and are building toward formal attestations over time; we align our practices with childcare recordkeeping needs and will say plainly when a certification is in progress or complete.

Reporting a vulnerability

Found a security issue? Please email security@kidtally.app and give us a chance to fix it before public disclosure. We appreciate responsible reports.