We treat your data like it belongs to the families — because it does.
Pruvelo is designed for licensed childcare: least-privilege access, transport encryption, platform-managed encryption at rest, and audit trails on sensitive changes. Below is what we actually implement and which protections come from our infrastructure partners.
Provider security posture
Pruvelo runs on Supabase (database, auth, file storage) and Vercel (web app). Those vendors publish security documentation and independent assessments (for example SOC reports and PCI where applicable). This page describes our product architecture — not a standalone Pruvelo SOC 2 Type II certificate.
HTTPS (TLS) in transit
Browsers and our APIs communicate over TLS. This protects data on the wire between clients and Pruvelo’s hosts. It is standard transport security — not custom end-to-end encryption between family devices.
Encryption at rest
Database rows, stored files, and backups inherit encryption at rest from our managed data platform (Supabase). Pruvelo does not ship customer-managed encryption keys today.
Stripe for financial data
Cardholder data stays inside Stripe’s PCI Level 1 environment — Pruvelo never stores raw card numbers.
API authentication and rate limits
Signed-in access is required for nearly all product APIs, with a small allowlist for payment callbacks, checkout, and time-limited inspection share links. We apply rate limiting at the edge and on sensitive endpoints to reduce abuse.
No sale of child or family data
We do not sell personal information about children or families. Where we use optional product analytics, practices are described in our Privacy Policy.
Permissions
Director → teacher → parent hierarchy
Directors set policy. Teachers operate classrooms. Parents see only their children — messaging and forms respect those boundaries in the product and API.
Questions about security?
Email security@pruvelo.com.