Your children's data is safe with us

Data storage & encryption

• Data at rest: All database data is encrypted using AES-256 on our UK-hosted servers. Passwords are hashed using bcrypt with a work factor of 12 — never stored in plain text.
• Data in transit: All connections are encrypted with TLS 1.3 (enforced via HSTS with a 1-year max-age). HTTP traffic is automatically redirected to HTTPS.
• Data location: All data is stored on servers physically located in the United Kingdom. We do not transfer personal data outside the UK or EEA.
• Session security: Sessions are stored server-side in our database, not client-side. Cookies are marked HttpOnly, Secure, and SameSite=Lax to prevent XSS and CSRF attacks.

Authentication & access control

• Multi-tenant isolation: Every query in the system is scoped by nursery ID. It is architecturally impossible for one nursery's staff to access another nursery's data.
• Role-based access control: 14 staff roles from Operations Manager to Agency Staff. Management-only features (settings, staff management) are restricted server-side — not just hidden in the UI.
• Account lockout: After 5 failed login attempts, an account is locked for 15 minutes. IP-level rate limiting applies a separate 10-attempt-per-15-minute cap per IP address.
• Session regeneration: Sessions are regenerated on login to prevent session fixation attacks.
• Minimum password policy: Admin accounts require a minimum 10-character password. Staff passwords are hashed with bcrypt (12 rounds) — equivalent to ~200ms per attempt, making brute-force computationally infeasible.

Application security

• SQL injection prevention: All database queries use parameterised prepared statements via mysql2. User input is never interpolated into SQL strings.
• XSS prevention: The EJS templating engine auto-escapes all user-controlled output by default. CSP headers provide an additional layer of defence.
• CSRF protection: Session-bound CSRF tokens are validated on all state-changing requests (POST/PUT/DELETE). SameSite=Lax cookies provide defence-in-depth.
• Security headers: All responses include X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy (disabling geolocation, camera, microphone, payment), and a Content Security Policy.
• File uploads: Uploaded images (child photos, room photos, diary entries) are stored outside the web root and served through the application — not directly accessible via URL guessing.

GDPR & UK GDPR compliance

• Lawful basis: Personal data is processed under the legitimate interests and legal obligation bases as a data processor for your nursery (the data controller).
• Data Processing Agreement: A DPA is available on request and will be provided as standard to all Nursery, Professional and Enterprise plan customers.
• Data subject rights: We support your obligations under GDPR Articles 15–22 (access, rectification, erasure, portability). Contact us to action requests relating to our platform's stored data.
• Retention policy: Active child records are retained for the duration of your subscription. On account closure, data is retained for 30 days then permanently deleted, unless you request earlier deletion.
• Children's data (Article 8): We apply additional care to data relating to children under 16, in line with the UK ICO guidance for childcare providers.
• ICO registration: OurNurseryGrid is registered with the Information Commissioner's Office as a data processor.

Security roadmap

We're committed to continuous improvement. Here's what's coming:

• In progress Cyber Essentials certification — NCSC-backed self-assessment (UK government standard)
• Planned Penetration testing — Independent third-party pen test of all public-facing surfaces
• Planned Two-factor authentication (TOTP) — Optional 2FA via authenticator app for all staff logins
• Planned Audit log — Immutable record of all data access and changes, exportable for Ofsted inspections
• Future ISO 27001 — Information security management system certification
• Future SOC 2 Type II — For enterprise and multi-site customers

Report a vulnerability

We take security reports seriously. If you believe you've found a vulnerability in OurNurseryGrid, please disclose it responsibly by emailing security@ournurserygrid.com.

Please include: description of the issue, steps to reproduce, potential impact, and your contact details. We aim to acknowledge reports within 24 hours and resolve critical issues within 7 days.

We do not currently operate a bug bounty programme, but we'll publicly credit responsible disclosures (with your permission).