Security

What we do

• All traffic served over HTTPS with HSTS preload-ready (2-year max-age).
• Database rows scoped per family via Postgres row-level security. A parent only sees their own children; a child session only reaches their own data.
• Child writing + mastery state encrypted at rest in our database provider (Supabase).
• Errors sent to Sentry are run through a scrubber that strips child names, response text, emails, and session tokens before transport.
• Content-Security-Policy restricts where scripts + images + iframes can load from; third-party origins are enumerated, not wildcarded.
• Child PIN sign-in is rate-limited (5 strikes → 1-hour cooldown). Parent auth endpoints have their own rate limits at the database layer.
• Service-role database access is confined to the specific server routes that need it (signup rollback, account deletion, audit writes) — never handed to the client.
• Automated retention: child responses auto-delete after 180 days; ops logs after 90 days. See the privacy policy for the full table.

Reporting a security issue

If you believe you've found an issue that could affect child or family data, please email team@riverschool.app. Machine-readable policy at /.well-known/security.txt.

We'll acknowledge within 2 business days and work with you on a fix. We don't have a cash bounty yet; we do credit reporters publicly on this page with your permission.

Breach notification

If we ever discover a data breach affecting child or family data, we'll notify affected account holders within 72 hours of confirmation. Where applicable law requires a shorter or longer timeline, we'll follow the stricter one. Our detailed incident response procedure is documented internally; a summary is available on request.

Transparency

Full privacy policy with sub-processor list, retention schedule, and parental rights. If you're a school or institution asking about a Data Processing Addendum or FERPA alignment, email team@riverschool.app.