The honest answers, including the limits.
What Phosra is (the reference implementer of OCSS — not its owner), what's free, what we do and never do with child data, and exactly what conformance buys you. Where the honest answer is “it depends” or “not yet,” we say that instead of overpromising.
What Phosra actually is, what it enforces against, and where the honest limits are.
What is Phosra, exactly?
Phosra is the reference implementer of OCSS — the Open Child Safety Specification. OCSS is the open standard: a rule taxonomy plus a signed-envelope trust framework that lets one age-appropriateness decision travel across DNS, MDM, routers, and app controls and leave a receipt a regulator can replay.
Phosra builds a conformant router on that standard and runs one accredited network on it — it does not own, host, or control OCSS. The relationship is deliberately like Yubico to FIDO2: we build the thing, the standard lives somewhere we can't capture. The canonical spec, rule registry, and conformance suite are at openchildsafety.com, not here.
How is Phosra different from Bark or Qustodio?
Bark and Qustodio are mature parent-monitoring products focused on one family at a time — strong dashboards, alerts, millions of installs. Phosra sits a layer below that: a conformant router for one age-appropriate decision that carries across every surface, mapped to the OCSS rule taxonomy and tracked against real child-safety law.
They're complementary, not competitors. Many setups use a monitoring tool for alerts and Phosra for the policy layer underneath. Qoria (Qustodio's parent) and others are exactly the kind of parental-control vendor the standard is built for — they own the parent relationship; OCSS gives them a conformant way to enforce it everywhere.
What does Phosra actually enforce policies on?
The model is one signal, carried across surfaces: DNS, MDM, home routers, and app-level controls. Where a platform exposes an official parental-controls API, Phosra speaks it; where none exists, it falls back to network- or device-level enforcement. The point of a conformant router is that the same parental choice means the same thing on whichever surface can carry it.
We're honest about stages. Some integrations are live, others are mapped and on the public roadmap — and an SSL-inspecting school gateway, for example, is not an OCSS receiver. We say which surfaces are load-bearing today rather than implying full coverage everywhere.
What's a 'rule category'? What's a 'policy'?
A rule category is one atomic, typed unit of enforcement — parental_consent_gate, screen_time_report, commercial_data_ban, ai_chatbot_tier_gate, and the rest. The OCSS taxonomy has 115 of them: 67 anchored to a concrete statute or instrument, and 48 provisional, where the vocabulary is reserved but the rating lane is inactive until an instrument signs.
A policy is your specific configuration of those categories for a specific child — e.g. “Emma, age 8, bedtime 8:30pm, content rating PG, no DMs from non-friends.” Phosra translates one policy into whatever each platform's native controls actually accept, so you set it once instead of per app.
Can my child bypass Phosra?
Honestly: it depends on the surface, and we publish that rather than hide it. Where a platform exposes an official parental-controls API, enforcement is hard to bypass without the platform's own recovery flow. Where no API exists, network-level (DNS, router) or device-level (MDM) enforcement is what's holding the line — and a determined teen with a VPN can work around that.
So we don't claim tamper-proof. We surface per-integration bypass-resistance so you know which surfaces are load-bearing and which need a second layer. A standard whose limits are public is more useful than a vendor that overpromises.
Who pays, who doesn't, and how the business stays funded without selling family data.
Is Phosra really free for families — what's the catch?
No catch. The family plan is free, requires no credit card, and includes the parental controls a household actually needs. The business is funded on the other side of the standard: developers who build OCSS-conformant access control into their own products, and platforms, vendors, and institutions that license the compliance layer.
Families pay nothing and the model doesn't depend on monetizing them — there are no ads on any surface and child data is never the product.
How do you make money if it's free for families?
Two revenue lines, neither of which touches family data. Self-serve developers pay to build age-appropriate access control on the OCSS router — an age signal in, a signed decision out. Platforms, parental-control vendors, schools, and regulators license the continuous compliance layer: mapped statutes, conformance evidence, and replayable receipts.
The free family tier is the on-ramp; the B2B side funds the company. That's the whole model — no resale of minor data anywhere in it.
What we hold, how it's protected, and the things we structurally cannot do with it.
Do you sell my child's data? Do you use it for ads?
No. We do not sell, license, rent, or share child data with advertisers, data brokers, or any third party for marketing, and we run no ads on any surface. Child data is encrypted, scoped to your family account, and used only to enforce the rules you set.
The standard is built so the routing layer can't even see the payload it carries — the OCSS envelope is sealed end-to-end, encrypted to the recipient, and the intermediary reads only the headers it needs to move a signal. “We don't read it” is a structural property, not just a promise.
Is my data encrypted?
Yes. Sensitive fields (OAuth tokens, provider credentials) are encrypted at the application layer with AES-256-GCM on top of the database's standard at-rest disk encryption, and all traffic is TLS 1.3. Tenant data is scoped at the application layer — every query is user-keyed.
The full security posture — transport, at-rest, authentication, and the verifiable-not-promissory governance claims — lives in the Trust Center, built to be checked rather than believed.
Can I export my data or delete my account?
Yes, in one step. Export gives you a structured bundle of everything we hold about your family. Delete removes your rows within 48 hours, including from backups within 30 days. We honor GDPR (Art. 17 erasure), CCPA (§1798.105 deletion), and the US state equivalents — no dark-pattern retention.
The standard Phosra implements, what conformance means, and how the law registry stays current.
Is OCSS a ratified standard? Are you a standards body?
No on both counts, and we won't imply otherwise. OCSS is currently Draft 4 — an individual IETF Internet-Draft, pre-release, not yet ratified and not a standards-body publication. Phosra is its reference implementer and one network on it; we are not the steward, and we don't speak for the standard.
That separation is the asset, not a caveat. The anti-capture guarantees — a verifiable succession record, a federation that needs three or more independent routers to be healthy, and a conformance suite whose own code rates a Phosra-only world RED — are what make a signal worth trusting. A standard one vendor controls isn't one.
What is COPPA 2.0, and does Phosra cover it?
COPPA 2.0 is the proposed update to the 1998 Children's Online Privacy Protection Act — it raises the covered-age threshold, expands what counts as personal data, and adds algorithmic-harm provisions. It's tracked in the live law registry with its key provisions, status, and the jurisdictions it would bind.
Phosra decomposes its obligations into OCSS rule categories — verifiable parental consent, minimum-necessary collection, parent-initiated deletion — and ships a readiness checklist. To be exact about what that buys you: it's evidence you can show a regulator, not a determination of compliance and not a COPPA safe harbor.
Does OCSS conformance mean I'm compliant, or covered by a safe harbor?
No — and the standard says so in plain language, which we quote rather than soften. A conformance result is evidence that an implementation satisfied the tested requirements at the time of testing. It is not an approval, not a certification by the steward, not a determination of legal compliance, and it confers no safe harbor under any statute.
It's something a regulator can weigh, alongside everything else, when they evaluate you. Phosra is building toward OCSS Certified — a status earned from the standard and its conformance suite, never issued by us. We don't self-certify and we don't ship a “Phosra Certified” badge.
How many laws do you track, and how often do you update them?
The registry currently maps 91 child-safety statutes across US federal, US state, EU, UK, and international jurisdictions. Every Monday an automated scanner re-reads the tracked statutes and flags material changes, new introductions, and status updates; a human reviews changes before anything publishes.
Every number on the marketing surface is rendered from that same registry at build time, so the count you see can't drift from the laws the page actually lists.
Do you work with schools?
There's a named institutional lane — a district has its own authority, parallel to the parental model, with duties under FERPA and state codes. We're deliberately honest about which of those duties are specified in the open standard versus shipped today, and about the fact that an SSL-inspecting gateway is not an OCSS receiver.
If you're district IT or evaluating on behalf of a regulator, the K-12 lane lays out where things actually stand.
Who built this, why, and the first few steps to going live.
How do I get started?
For a family: sign up — no card required — add your child and set their age, and Phosra provisions an age-appropriate rule set, then you connect the apps and devices you actually use.
For a builder: pick the door that matches how you reach a kid. Parental-control vendors and self-serve developers are the two front doors that are live today; platforms, schools, and regulators each have their own lane behind them.
Who built this?
Jake and Susannah Klinvex — founders of previously-acquired software companies and parents of five. Phosra started because there was no single product that carried one rule for our own kids across Netflix, Roblox, Discord, TikTok, and the App Store at once.
Building it surfaced the more durable problem: every platform was reinventing age logic, and nobody could prove what they enforced. That's the gap an open standard with a conformance suite closes — and why Phosra implements OCSS rather than trying to own it.
If we owned the standard, you'd have to take our word.
OCSS is a pre-release standard — Draft 4, an individual IETF Internet-Draft, not yet ratified. Phosra is building toward OCSS Certified: earned from the standard, never issued by us. The anti-capture guarantees are the asset — verifiable succession, a federation that needs three or more independent routers to be healthy, and a conformance suite whose own code rates a Phosra-only world RED.
The canonical spec, rule registry, and conformance suite live at openchildsafety.com — not here. Phosra implements OCSS; it doesn't host it.
Ask a human — we actually reply.
Founders read every inbound. If your question didn't fit the answers above, we want it — it's probably the next entry on this page.