Back to home

Security & Privacy at NeuroKids

Autism families entrust us with their children's inner world. Here's every control we've built to keep it safe — updated live from the running system.

18 of 20 controls active·90%

Web & Transport

Content Security Policy enforced

Live-probed on every response: default-src 'self'; frame-ancestors 'none'

HTTPS with HSTS enforced

Live-probed: Strict-Transport-Security header on landing page

Auth cookies HttpOnly + Secure + SameSite=Lax

nk_token cookie hardened against XSS + CSRF

Push notifications VAPID-authenticated

Web Push protocol with VAPID keys — origin-verified

Authentication

Passwords bcrypt-hashed (12 rounds)

No plaintext or reversible storage — GDPR Art. 32 compliant

JWT rotation + 7-day expiry

HS256 signing, 7-day tokens, server-side revocation on password change

Per-child PIN lockout

10 wrong attempts within 15 min → 30-min freeze

Kid-mode tokens can't reach admin

Server hard-rejects role='kid' on admin endpoints

Rate limiting on auth endpoints

Login 10/min, kid PIN 10/min + lockout, forgot-password 3/min

Cron / background jobs running

Live-probed: APScheduler has ≥ 5 registered jobs

Data Protection

Row-level ownership checks

Every kid-scoped endpoint verifies parent owns the child (no BOLA)

Strict typed input validation

Pydantic type-checks every request body — no NoSQL operator injection

OAuth state HMAC-signed

Google + Microsoft + YouTube callbacks all verify 5-min signed state

Database reachable + healthy

Live-probed: primary MongoDB connection accepting queries

Compliance

GDPR + UK-GDPR + COPPA aware

Public privacy policy, DSAR endpoint, retention limits, DPO contact published

Safeguarding rule engine

Hourly scan of high-risk phrases across kid + parent inputs

Voice recording retention ≤ 90 days

Daily cron purges any voice clip older than 90 days

Emails from verified domain

Live-probed via Resend API: sender domain status='verified' (DKIM + SPF green)

Cyber Essentials Plus-ready controls

IASME evidence pack downloadable by admins on request

No third-party tracking of children

Zero ad-tech, zero Facebook Pixel, zero social scripts on kid pages

For school IT teams & SENCos

Need our full evidence pack for procurement, DPIA, or Cyber Essentials review? Everything below is public.

Last checked 7/11/2026, 8:59:33 PM. This page reads from the live server on each load.