Security

ParentProof is a community service that handles parent email addresses, session tokens, and content ratings. We take a minimal-data approach: we collect only what is needed to operate the directory and delete it on the schedule described in our Privacy Policy.

• Hosted on Google Cloud Run (managed, auto-scaling, no persistent VMs).
• All data at rest encrypted with GCP-managed keys (AES-256).
• All data in transit encrypted with TLS 1.3.
• Secrets stored in GCP Secret Manager; never in environment variable literals.
• JWT sessions use HS256, issued at login, 15-minute TTL with refresh tokens.
• Passwords hashed with argon2id (19 MiB memory, 2 iterations).

ParentProof uses magic-link email authentication as the default sign-in path. Passwords are supported but optional. We do not store plaintext credentials. Magic links expire after 15 minutes and are single-use.

ParentProof has no child-facing surface. The service is for parents only. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact us at security@parentproof.com and we will delete the account within 72 hours.

If you find a security vulnerability in ParentProof, please report it responsibly before public disclosure. We commit to:

• Acknowledging your report within 2 business days.
• Providing a timeline for a fix within 5 business days.
• Crediting you in our security changelog (unless you prefer anonymity).

Send reports to security@parentproof.com. Please do not open a public GitHub issue for security bugs.

Every state-changing action on a parent account emits an audit event stored for 90 days (7 years for VPC records per COPPA). You can download your audit log from your account settings.