CoParentOS

Security

Security Policy

Version 1.0 · Effective 19 June 2026

Our approach

CoParentOS exists to give separated parents a private, trustworthy record of co-parenting arrangements. The data you entrust to us includes structured records with audit history that may be used in mediation or court. Security is not an afterthought — the platform is built around it.

This policy describes our security controls. Full technical documentation is available to enterprise and legal customers under NDA.

Data classification

All data is classified into four tiers. Controls scale with sensitivity:

  • Tier 1 — Public: Marketing pages, pricing, public documentation. No special controls.
  • Tier 2 — Internal: System logs, performance metrics. Access limited to platform operators.
  • Tier 3 — Confidential: Expense records, messages, calendar events, handover logs. Encrypted in transit and at rest; access restricted by household.
  • Tier 4 — Restricted: Child personal information, legal documents, authentication tokens. Minimum necessary access; strict audit logging; no retention beyond stated periods.

Encryption

In transit

  • TLS 1.3 for all client-server communication
  • HSTS enabled with preload
  • All database connections use TLS 1.2+
  • Stripe API: TLS 1.2+ with certificate pinning

At rest

  • AES-256 encryption for all stored data
  • All uploaded files encrypted server-side
  • Backups encrypted with AES-256
  • No sensitive data cached in browser storage

Access control

Every request to view or modify data is authenticated and authorised:

  • Household isolation: Your data is only accessible to the two parents in your household. Database-level access controls enforce this — not just application logic.
  • Multi-factor authentication: Required for all production accounts.
  • Lawyer access: Time-limited, read-only, and per-document. You grant access; you revoke it. Every access is logged.
  • Session security: HTTP-only, Secure, SameSite cookies. 24-hour inactivity timeout.
  • Password policy: Minimum 12 characters; checked against known breach databases.

Audit logging

Every change to your data is logged. Who made the change, what changed, and when. Audit logs are append-only — they cannot be modified or deleted. This is how we ensure records are trustworthy for mediation and court.

Audit logs are retained for a minimum of 7 years, aligning with Australian legal requirements for financial and business records.

Development practices

  • All code changes reviewed via pull request — no direct pushes to production.
  • Automated dependency scanning on every commit; critical patches applied within 24 hours.
  • TypeScript strict mode across the entire codebase.
  • No secrets in source code or version control.
  • Input validation on all user-supplied data.

Infrastructure & vendors

CoParentOS runs on cloud infrastructure with strong security credentials:

  • Database & file storage: Hosted in Singapore (AWS ap-southeast-1). SOC 2 and ISO 27001 certified.
  • Application hosting: Global edge network with encrypted environment variable storage.
  • Payments: PCI DSS Level 1 certified. We never store your full card number.

All vendors are assessed for security before integration and reviewed annually.

Data residency

Your data is stored in Singapore. This is disclosed in our Privacy Policy and was selected to balance performance with data sovereignty considerations for Australian users. Application code is deployed on a global edge network.

Questions?

Contact us at security@coparentos.com.au. Enterprise and legal customers can request our full security documentation package under NDA.