Security

• Data is hosted on Supabase, running on AWS infrastructure in U.S. regions.
• All traffic between your browser and CubHub is encrypted in transit using TLS 1.2 or higher.
• Data at rest in our database and object storage is encrypted using AES-256.
• Backups of the production database are taken automatically and retained for at least seven days, with point-in-time recovery enabled.

• Every database table uses row-level security (RLS). Users can only read or modify rows that belong to their Center and that match their role.
• Roles are enforced end-to-end: administrators, teachers, and guardians each see a different subset of data and actions.
• Authentication is handled by Supabase Auth with industry-standard password hashing. Staff and guardians sign in with email and password; magic links are not used.
• Employee access to production systems is limited to a small number of engineers, protected by single sign-on and multi-factor authentication, and logged.

Payments are processed by Stripe, a PCI DSS Level 1 certified provider. CubHub never stores raw card numbers, CVV codes, or full bank account details. We receive only a token, the card brand, and the last four digits for display purposes.

• Child records are scoped to a single Center; data never crosses Center boundaries.
• Face check-in is opt-in. We store a mathematical face descriptor, not the original photo, and guardians can delete their enrollment at any time.
• Child photos are stored in a private bucket with signed, short-lived access URLs.
• We do not use child data for advertising, and we do not sell personal information.

• Input from end users is validated both on the client and in the database layer.
• Server-side logic runs in isolated Supabase Edge Functions with least-privilege credentials and strict CORS.
• Stripe webhooks are verified by signature and processed idempotently.
• Sensitive administrative actions are recorded in an audit log.
• Dependencies are monitored for known vulnerabilities and patched on a regular cadence.

• CubHub is built with the Children's Online Privacy Protection Act (COPPA) in mind. Centers act as the "operator" for information about enrolled children and are responsible for obtaining parental consent where required.
• We are working toward a SOC 2 Type II examination. Until that report is issued, we will not claim SOC 2 compliance. If you need a current security questionnaire or data processing agreement (DPA), we are happy to provide one on request.
• We honor data export and deletion requests from Centers, guardians, and staff in accordance with our Privacy Policy.

We monitor the Service continuously and maintain a documented incident response process. If a security incident occurs that affects your data, we will notify the affected Center's administrator without undue delay and in accordance with applicable law.

We welcome reports from security researchers. If you believe you have found a vulnerability, please email security@cubhub.ai with a description and, where possible, a proof of concept. Please give us a reasonable window to investigate and remediate before public disclosure. We commit to acknowledging your report within three business days.

Security team: security@cubhub.ai
Data protection: privacy@cubhub.ai