Security You Can Trust
Transparent security practices built for childcare providers who handle sensitive children's data every day.

Built for Children's Data
When it comes to children's information, there's no room for compromise. Every layer of KidzLog is designed with privacy and security as core principles.
Request Security DocumentationCanadian Hosted
All data stored exclusively on AWS in Canada (ca-central-1). Database, files, authentication — everything stays in Canada.
Encrypted Everywhere
AES-256 encryption at rest via AWS KMS. SSL/TLS for all data in transit. Presigned URLs for secure file access.
Immutable Audit Trail
65+ action types across 12 categories. Every change recorded with who, what, when, and from where. Cannot be modified or deleted.
No Card Data Stored
All payments processed by Stripe (PCI DSS Level 1). KidzLog never receives or stores credit card numbers.
Your Data Stays in Canada
Every piece of data in KidzLog is stored exclusively in AWS Canada (ca-central-1) region. This isn't partial — it's everything: your database, files, photos, authentication, and backups. Nothing leaves Canadian soil.
- Database (RDS PostgreSQL) — AWS ca-central-1
- File storage & photos (S3) — AWS ca-central-1
- Authentication (Cognito) — AWS ca-central-1
- PIPEDA-aligned privacy practices
- No cross-border data transfers
Why Canadian Hosting Matters
Many childcare providers in Canada are required — or strongly prefer — to keep personal information about children and families within Canadian borders. Provincial privacy laws like FIPPA (BC) and PHIPA (Ontario) can require data residency.
With KidzLog, you never have to ask "where is our data?" The answer is always Canada. This simplifies compliance conversations with licensing bodies and gives parents peace of mind.
4-Tier Role-Based Permissions
Every API request is evaluated against the user's role and the specific entity being accessed. Parents can only see their own children. Teachers manage their own classrooms. Admins handle operations. Owners have full control.
- Entity-level permissions — parents only see their own children
- Billing audit logs restricted to center owners only
- Teachers can only manage their own activities and announcements
- Parents can only message owners and teachers, not other parents
- Per-center feature module gating for optional functionality
- Subscription status enforced before accessing protected features
Owner
Full administrative accessAdmin
Management with restrictionsTeacher
Classroom operationsParent
Child-scoped access onlyHow We Protect Your Data
Multiple layers of encryption and access controls protect data at every stage.
At Rest
- AES-256 database encryption (AWS KMS)
- S3 server-side encryption for files
- Encrypted automated database backups
- UUID filenames prevent file enumeration
In Transit
- TLS encryption on all API traffic
- SSL with CA certificate verification for database connections
- HTTPS-only presigned URLs for file access
- CORS locked to kidzlog.com in production
In Logs
- 70+ PII field paths redacted at the framework level
- Names, emails, phones, medical data all masked
- Two-layer sanitization (Pino redact + application utility)
- Discord error alerts sanitized before transmission
Comprehensive Audit Logging
Every significant action is recorded in immutable audit logs that cannot be modified or deleted. This provides a complete trail of accountability for attendance, child records, medical data, and all administrative actions.
- 65+ distinct action types covering the full data lifecycle
- 3 severity levels: critical, warning, and info
- Captures old and new values for every change
- Records user identity, IP address, and user agent
- Role-based audit access — staff see only their own logs
12 Audit Categories
Compliance & Privacy
Designed for Canadian privacy law with protections inspired by COPPA for children's data.
PIPEDA
Aligned with Canada's federal privacy law for handling personal information.
- Consent through registration and privacy policy
- Purpose-limited data collection
- 72-hour breach notification to Privacy Commissioner
- 30-day data subject access request response
- Data Processing Agreement available for clients
COPPA-Inspired Protections
Extra safeguards for children's data beyond standard privacy requirements.
- PostHog autocapture disabled — manual events only
- All form inputs masked in session recordings
- Child photos and medical data blocked from recordings
- Route-based masking levels (max on parent/child pages)
- Do Not Track headers respected
Payment Security
Payment processing fully delegated to Stripe with cryptographic webhook verification.
- Stripe PCI DSS Level 1 certified
- No card data ever touches KidzLog servers
- Webhook signature verification on all payment events
- Test-mode events rejected in production
- Idempotent webhook processing prevents duplicates
Security Documentation Available on Request
We maintain detailed security documentation for procurement and compliance reviews. Available documents include our Security Overview, Data Processing Agreement, Incident Response Plan, Business Continuity Plan, and Subprocessor List.
Request DocumentationSecurity Questions & Answers
Here are some of the most frequently asked questions about KidzLog
How is my childcare center's data protected?
Where is my data stored?
Is KidzLog compliant with Canadian privacy laws?
What happens to my data if I cancel my subscription?
How do you handle data breaches?
Can I control who has access to what information?
Do you store credit card information?
Do you have security documentation available for procurement?
Experience the difference with KidzLog
No demos, no credit cards, no commitments. Just sign up and explore the difference KidzLog can make for your childcare center.