Security & Child Safety

How we keep your child's data safe and the service itself secure. We publish this so you can audit our claims and so researchers can help us improve.

Child safety — the basics

• Zero third-party trackers on children's pages. Verified by automated network trace on every release — no Google Analytics, no Facebook Pixel, no Segment, no Mixpanel.
• Zero ads, zero in-app purchases, zero affiliate links in the kids UI.
• Video embeds via youtube-nocookie.com. The official YouTube "privacy-enhanced" mode. Cookies only set after your child presses play (and first passes the Parental Gate).
• Parental Gate on every external link and every payment surface. Kids can't bypass it.
• AI moderation (Claude Haiku 4.5) reviews every new video and every generated bedtime story before it appears.

Account & data security

• HTTPS-only, HSTS enabled, TLS 1.2+.
• Passwords hashed with bcrypt (cost 12). Never stored in plaintext.
• Authentication cookies: httpOnly, Secure, SameSite=Strict. 15-minute access token + 30-day refresh with rotation.
• Server-side refresh tokens hashed at rest — a stolen cookie is revocable from the server.
• Rate limits: 5 login attempts per 10 minutes, 30 refreshes per minute, 300 general requests per minute per IP.
• Strict Content-Security-Policy on /watch/ — no arbitrary scripts, no inline data: URIs.
• Admin routes behind a bearer token; admin actions logged.

Infrastructure

• Dockerised stack: Postgres 16, Redis 7, Node.js 20, nginx. Images pinned to majors.
• Daily automated backups of the database, 7-day retention.
• Separate database / cache / app containers — blast-radius minimised.
• No payment data stored on our servers. Subscriptions handled manually during beta; future payments via PCI-DSS compliant provider (Stripe).

What happens if you report a vulnerability

We aim to respond within 2 business days. First triage within 5 days. Critical issues get a fix advisory within 14 days.

• Email security@kivolokids.com. PGP key available on request.
• Include: affected URL, reproduction steps, impact. Don't include actual user data.
• Do not publicly disclose until we've shipped a fix. We will credit you in our advisory unless you prefer to remain anonymous.
• Out of scope: denial-of-service, social engineering, physical attacks, 3rd-party services we don't control (YouTube, Anthropic).

Bug bounty

We do not currently operate a paid bounty program — we're a small studio. We do offer public acknowledgement in a "hall of fame" and, for significant findings, a handwritten thank-you plus Kivolo Kids merch.

security.txt

Our security.txt file contains the canonical contact and policy.

Last independent audit

The service has not yet been audited by a third party. An independent security assessment is planned for Q3 2026 before we enable the public sign-up flow at scale.

Transparency reports

We publish a transparency summary each quarter at kivolokids.com/transparency (first report Q2 2026). It covers: total accounts, data requests received, subpoenas received, vulnerabilities disclosed, and uptime.