Security · Compliance · Data Handling
Trust Center
The security, compliance, and data-handling posture of a platform built for child safety. Everything we do, documented.
Security posture
The controls behind every policy decision.
Authentication
Stytch JWT
Production auth runs on Stytch with short-lived JWTs and a separate sandbox tenant for development. Admin actions gated behind explicit role checks on every request.
Transport
TLS 1.3 + HSTS
HTTPS enforced end-to-end with TLS 1.3. HSTS applied at the Vercel edge. Conservative Content-Security-Policy shipped in next.config.js restricts script, frame, form, base, object, and worker sources.
At-rest encryption
AES-256-GCM
Supabase Postgres with tenant scoping enforced at the application layer on every query. AES-256-GCM applied at the application layer for sensitive fields (OAuth tokens, provider credentials) on top of Supabase's standard at-rest disk encryption.
Auditability
Every decision logged
Every policy enforcement decision is written to a durable event stream with the rule, input, output, and statute citation. Regulators can be handed an export in minutes.
Compliance posture
Alignment with the frameworks that govern minor data.
Phosra is architected around these statutes. Each framework links to its detail page in our compliance hub.
Data handling
Minimum necessary. Parent-controlled. Never sold.
What we collect
- Parent account identifiers (email, hashed)
- Child profile metadata (first name, age band, device binding)
- Policy state + enforcement events
- Audit logs for compliance reporting
What we never do
- Sell, rent, or broker minor data — ever
- Use child data for advertising or ad targeting
- Share data with third-party ad networks or data brokers
- Train external ML models on child data
Retention
Retention windows are parent-configurable. Default windows follow the most conservative applicable statute (COPPA / UK AADC), and audit logs are retained only as long as required for regulatory defensibility.
Deletion rights
One-click parent-initiated deletion removes the child profile, enforcement state, and derived telemetry. Portability exports are available on request in machine-readable JSON.
Incident response
Documented playbook. Honest timelines.
We use Sentry for application error tracking and Fly.io metrics for infrastructure telemetry. When an incident is confirmed, we follow a documented response playbook: contain, assess impact, notify, and remediate.
Breach notification within 72 hours of confirmation, consistent with GDPR Article 33 and CCPA standards. Affected parents are contacted directly via the email of record.
Report an incident
If you believe you've identified a security issue or are affected by an incident, email us directly. We triage within one business day.
security@phosra.comSubprocessors
The vendors in our data path.
US-primary data residency across all subprocessors. We update this list when the path changes.
| Vendor | Purpose | Region |
|---|---|---|
| Supabase | Postgres database + object storage | US |
| Fly.io | Go API compute (phosra-api) | US |
| Vercel | Edge CDN + Next.js hosting | Global edge, US origin |
| Stytch | Authentication (JWT) | US |
| Sentry | Error tracking + performance monitoring | US |
| Resend | Transactional email | US |
Responsible disclosure
We welcome responsible disclosure.
If you've identified a security issue, email security@phosra.com. We'll respond within two business days, keep you updated through remediation, and credit researchers in our disclosure log (with your permission).
Please do not access data that is not your own, perform testing on production parent or child accounts, or run automated scanners that degrade service. Good-faith research is welcome.
Need more for your security review?
Request our current SOC 2 status letter, subprocessor DPA, or architecture diagram. We respond within one business day.