← Back to home

Security & Compliance

Our commitment to the UK NCSC Cyber Essentials Plus scheme — the five control areas, written plainly.

1. Firewalls & Routers

NeuroKids runs on a managed Kubernetes platform. All inbound traffic is filtered by the platform load balancer, which strips and re-issues TLS, drops non-443 connections, and rate-limits per IP. No backend port is reachable from the public internet.

2. Secure Configuration

Containers start from pinned base images. No shell or admin port is exposed to end users. Application config comes only from environment variables — there are no committed secrets. Default service-worker registration is removed at build time.

3. User Access Control

Parent and admin auth use bcrypt-hashed passwords (cost ≥ 12). JWTs expire after 7 days. Admin access is gated by a static allowlist in code, not just a flag on a row. All admin mutations log to db.admin_actions with the actor email, timestamp, and before/after diff.

4. Malware Protection

The frontend is a static bundle served via CDN — no user-supplied code is executed. File uploads (CSV roster imports, pentest reports) are size-capped (5MB / 20MB) and content-type-restricted. ClamAV scanning is on the Cyber Essentials Plus uplift roadmap.

5. Patch & Update Management

Container rebuilds pick up base-image security patches on every deploy. Dependencies are pinned via package.json and requirements.txt; npm audit + ruff run on every commit. SSL certificates are monitored weekly via the SSL Monitor cron (alerts on Slack ≤ 14 days from expiry).

Contact

For our IASME assessor, security questionnaire, or to coordinate a pentest:dpo@neuro-kids-space.co.uk