Security & Privacy at NeuroKids
Autism families entrust us with their children's inner world. Here's every control we've built to keep it safe — updated live from the running system.
Web & Transport
Content Security Policy enforced
Live-probed on every response: default-src 'self'; frame-ancestors 'none'
HTTPS with HSTS enforced
Live-probed: Strict-Transport-Security header on landing page
Auth cookies HttpOnly + Secure + SameSite=Lax
nk_token cookie hardened against XSS + CSRF
Push notifications VAPID-authenticated
Web Push protocol with VAPID keys — origin-verified
Authentication
Passwords bcrypt-hashed (12 rounds)
No plaintext or reversible storage — GDPR Art. 32 compliant
JWT rotation + 7-day expiry
HS256 signing, 7-day tokens, server-side revocation on password change
Per-child PIN lockout
10 wrong attempts within 15 min → 30-min freeze
Kid-mode tokens can't reach admin
Server hard-rejects role='kid' on admin endpoints
Rate limiting on auth endpoints
Login 10/min, kid PIN 10/min + lockout, forgot-password 3/min
Cron / background jobs running
Live-probed: APScheduler has ≥ 5 registered jobs
Data Protection
Row-level ownership checks
Every kid-scoped endpoint verifies parent owns the child (no BOLA)
Strict typed input validation
Pydantic type-checks every request body — no NoSQL operator injection
OAuth state HMAC-signed
Google + Microsoft + YouTube callbacks all verify 5-min signed state
Database reachable + healthy
Live-probed: primary MongoDB connection accepting queries
Compliance
GDPR + UK-GDPR + COPPA aware
Public privacy policy, DSAR endpoint, retention limits, DPO contact published
Safeguarding rule engine
Hourly scan of high-risk phrases across kid + parent inputs
Voice recording retention ≤ 90 days
Daily cron purges any voice clip older than 90 days
Emails from verified domain
Live-probed via Resend API: sender domain status='verified' (DKIM + SPF green)
Cyber Essentials Plus-ready controls
IASME evidence pack downloadable by admins on request
No third-party tracking of children
Zero ad-tech, zero Facebook Pixel, zero social scripts on kid pages
For school IT teams & SENCos
Need our full evidence pack for procurement, DPIA, or Cyber Essentials review? Everything below is public.
Last checked 7/11/2026, 8:59:33 PM. This page reads from the live server on each load.