Security overview
Last updated: April 15, 2026 | KIRUNIVERSE LLC, Brooklyn, New York
kidHQ is built on infrastructure designed to protect student and school data at every layer. This document describes the technical and organizational controls we maintain. It is intended for school administrators, technology directors, and procurement teams evaluating kidHQ.
1. Infrastructure and hosting
kidHQ is hosted on Vercel (application layer) and Supabase (database and authentication layer). Both providers maintain SOC 2 Type 2 compliance. All infrastructure operates within the United States. We do not host student data in foreign jurisdictions.
2. Data encryption
All data transmitted between users and kidHQ is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 encryption at the database layer. Payment card data is never stored on kidHQ systems — it is processed entirely by Stripe, Inc., which is PCI DSS Level 1 certified.
3. Access controls
Access to student and school data is governed by role-based access controls enforced at the application layer and row-level security policies enforced at the database layer. Administrators can only access data belonging to their own school. No KIRUNIVERSE LLC employee has routine access to school data in production. Access for support or diagnostic purposes requires explicit authorization and is logged.
4. Audit logging
Every administrative action taken within kidHQ — including creating, modifying, or deleting records — is logged in a tamper-evident audit trail. Logs are available to school administrators in the Activity section of the admin dashboard. Logs are retained for the duration of the school's subscription.
5. Authentication
kidHQ uses Supabase Auth for authentication, supporting email and password login and magic link (passwordless) authentication. Sessions are managed via secure, HTTP-only cookies with a one-year expiration. We do not store plaintext passwords.
6. Third-party subprocessors
kidHQ shares data with a limited number of subprocessors to operate the platform. Each subprocessor is contractually bound to maintain data privacy and security standards consistent with our obligations to schools. Current subprocessors: Supabase (database and authentication, United States), Vercel (application hosting, United States), Stripe (payment processing, United States), Google (calendar integration and email delivery, United States). A complete and current subprocessor list is available upon request.
7. Data minimization
We collect only the data necessary to provide the services described in our agreement with your school. We do not collect behavioral tracking data for advertising purposes. We do not use student data to train AI models. We do not share student data with advertising networks.
8. Incident response
In the event of a data security incident affecting student data, KIRUNIVERSE LLC will notify affected schools without undue delay and in accordance with applicable law, including New York Education Law Section 2-d and applicable breach notification statutes. We will provide schools with the information necessary to fulfill their own notification obligations.
9. Compliance
kidHQ is designed to support school compliance with FERPA, COPPA, and New York Education Law Section 2-d. We act as a school official with a legitimate educational interest under FERPA, governed by a signed Data Processing Agreement with each school. We do not rely on general consent from parents — we rely on the school's authority to contract for educational services on behalf of its students.
10. Contact
Security inquiries: privacy@kiruniverse.com | KIRUNIVERSE LLC, Brooklyn, New York | kidhq.app