Trust Center

← Back to Home

1. Our Approach to Security

Working with data about children requires an exceptional duty of care. At KumbukTree, security and privacy are embedded in every layer of our platform — from the infrastructure we run on, to the code we write, to the policies we enforce. This Trust Center provides full transparency into our practices, standards, and commitments.

We protect data belonging to over 800 childcare centers and the families they serve. Every architectural and operational decision we make is evaluated through the lens of child safety and data stewardship.

2. Security at a Glance

3. Security Practices

3.1 Access Controls

• Role-Based Access Control (RBAC): Every user is assigned a role (administrator, teacher, front-desk, parent) with access limited to the data necessary for that role
• Multi-Factor Authentication (MFA): Required for all administrator and staff accounts
• Principle of Least Privilege: Internal engineering access to production systems is restricted to the minimum necessary and requires MFA + VPN
• Session Management: Authenticated sessions expire after 8 hours of inactivity; concurrent session limits enforced per user

3.2 Data Protection

• All personal data is encrypted in transit (TLS 1.3) and at rest (AES-256)
• Sensitive fields (e.g., medical notes, allergy information, emergency contacts) receive additional field-level encryption
• Database backups are encrypted and stored in a geographically separate AWS region
• Data is logically isolated between childcare center tenants — no center can access another center's data

3.3 Application Security

• Secure development lifecycle (SDLC) with mandatory code reviews and automated security scanning
• Dependency vulnerability scanning via Dependabot and Snyk
• OWASP Top 10 mitigations integrated into development standards
• Annual third-party penetration testing with remediation SLAs
• Web Application Firewall (WAF) and DDoS protection at the edge

4. Infrastructure Details

4.1 Cloud Hosting

Provider	Amazon Web Services (AWS)
Primary Region	us-east-1 (N. Virginia)
Redundancy	Multi-AZ deployment with automated failover
Compute	Auto-scaling container orchestration (ECS Fargate)
Database	Amazon RDS (PostgreSQL) with automated backups and point-in-time recovery
Object Storage	Amazon S3 with versioning and lifecycle policies

4.2 Email Delivery

Email Service Provider	Mailgun (Sinch Group)
Sending Method	SMTP relay via Mailgun API
IP Configuration	Dedicated sending IP
Email Type	100% transactional (no marketing)
Average Daily Volume	~10,000 messages
Spam Complaint Rate	< 0.03%
Bounce Rate	< 1.4%
Authentication	SPF + DKIM (2048-bit) + DMARC (p=reject)
Headers	List-Unsubscribe, List-Unsubscribe-Post (RFC 8058)

5. Incident Response

KumbukTree maintains a documented incident response plan with defined roles, communication procedures, and escalation paths:

1. Detection (0–15 minutes) — Automated monitoring detects and alerts the on-call engineer via PagerDuty
2. Triage (15–60 minutes) — On-call engineer assesses severity, assembles the response team, and initiates containment
3. Containment (1–4 hours) — Affected systems are isolated, malicious access is revoked, and forensic evidence is preserved
4. Notification (within 72 hours) — Affected clients and, where required, supervisory authorities are notified in accordance with GDPR Article 33. Parents and guardians are notified through their childcare center
5. Resolution & Post-Mortem (within 5 business days) — Root cause analysis is completed, remediation actions are implemented, and a post-incident report is shared with affected parties

6. Logging & Audit Trail

Log Type	Retention Period	Details
Email delivery logs	90 days	Recipient, timestamp, status (delivered/bounced/deferred), message ID
User access logs	12 months	Login events, IP address, device fingerprint, session duration
Administrative action logs	12 months	Account changes, permission modifications, data exports
Infrastructure logs	12 months	System events, deployment records, configuration changes
Change management	Indefinite	All code and configuration changes tracked in version control (Git)

7. Compliance

KumbukTree's practices are designed to comply with the following regulations and standards:

• GDPR (General Data Protection Regulation) — Rights of EU/EEA data subjects honored; DPAs available on request; Standard Contractual Clauses executed with sub-processors
• CCPA / CPRA (California Consumer Privacy Act) — California residents' rights honored; no sale of personal information
• CAN-SPAM Act (US) — All transactional emails comply with CAN-SPAM requirements; sender identity, physical address, and unsubscribe mechanism included in every message
• CASL (Canada's Anti-Spam Legislation) — Consent requirements met for Canadian recipients; unsubscribe processed within 10 business days
• COPPA (Children's Online Privacy Protection Act) — While KumbukTree does not collect data directly from children under 13, our platform processes child data on behalf of childcare centers. We implement appropriate safeguards for this data

8. Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue in the KumbukTree platform:

• Report to: security@kumbuktree.com
• Acknowledgment: Within 48 hours of receiving your report
• Assessment: Initial severity assessment within 5 business days
• Resolution: Critical and high-severity vulnerabilities targeted for resolution within 30 days
• Recognition: With your permission, we will acknowledge your contribution in our security advisories

We ask that you:

• Do not access, modify, or delete data belonging to other users
• Do not disclose the vulnerability publicly until we have addressed it
• Provide sufficient detail for us to reproduce and verify the issue

9. Contact