Trust & Security

Security Is Our Foundation

Security is not a feature. It is our foundation. Neztio handles sensitive information about children, families, and educators every day. We treat that responsibility with the rigor it demands, building security and privacy into every layer of our platform from the ground up.

Data Encryption

All data is encrypted both in transit and at rest:

• Data in transit is protected with TLS 1.2 or higher for every connection between your devices and our servers.
• Data at rest is encrypted using AES-256 via Google Cloud's default encryption, ensuring your information is protected even when stored.

Tenant Isolation

Every childcare center operates within its own isolated data boundary. Firestore security rules enforce strict per-center separation at the database level. No center can read, write, or query another center's records. This isolation is not optional or configurable: it is built into the architecture and enforced on every request.

Access Controls

Neztio uses role-based access control (RBAC) with four distinct permission levels:

• Super Admin - Full platform management across all centers.
• Center Admin - Full control within their own center, including staff management, billing, and enrollment.
• Staff - Operational access to their assigned center only. Staff cannot view data from other centers.
• Parent - Read and limited write access scoped to their own children. Parents cannot see other families' data.

Authentication

Neztio uses Firebase Authentication to handle all credential management securely:

• Passwords are hashed server-side and never stored in plaintext.
• Session tokens expire automatically and rotate on each sign-in.
• Mobile apps support biometric authentication (Face ID, Touch ID, fingerprint) for quick, secure access.
• Two-factor authentication is on our near-term roadmap.

Audit Logging

All significant operations are timestamped and attributed to the user who performed them. Check-ins, check-outs, messages, absence reports, enrollment changes, and administrative actions are recorded with full audit trails. Cloud Functions enforce write authorization on all mutations, ensuring that every change is validated and logged before it reaches the database.

Infrastructure

Neztio runs on Google Cloud Platform (GCP) and Firebase, benefiting from Google's enterprise-grade infrastructure:

• GCP maintains SOC 1, SOC 2, and ISO 27001 certifications.
• All data centers are located in the United States.
• 99.95% uptime SLA backed by Google's service level agreements.
• Automatic scaling, redundancy, and disaster recovery built into the platform.

Children's Data & COPPA

Neztio is not directed at children under 13. Under the Children's Online Privacy Protection Act (COPPA, 16 CFR Part 312), childcare operators using Neztio act as the “operator” responsible for obtaining verifiable parental consent before entering child data into the platform.

Neztio acts as a service provider, processing child data on behalf of the operator. We apply data minimization principles: only operationally necessary information is collected, such as the child's name, date of birth, attendance records, medical or allergy notes, and emergency contacts.

• Parents may request access to or deletion of their child's data through their operator or by contacting Neztio directly.
• If we discover child data collected without proper authorization, we delete it promptly.

AI Data Handling

Neztio includes AI-assisted features that help staff draft messages, generate photo captions, surface attendance insights, and create morning briefings. Here is how we handle data in these workflows:

• AI features run through server-side Cloud Functions. No AI processing happens on the client device.
• All personally identifiable information (names, dates of birth, contact details) is scrubbed before any data is sent to the AI model. The AI processes anonymized, aggregate center-level data only.
• AI-generated content is always labeled as AI-assisted. Staff review and approve all AI output before it reaches parents.
• Per-child AI consent is verified before processing. Centers control whether AI features are enabled.
• AI usage is gated by plan tier with monthly quotas. No AI data is used to train models.

FERPA Readiness

For operators that are educational agencies or institutions covered by the Family Educational Rights and Privacy Act (FERPA), Neztio is structured to support compliance:

• Operators may designate Neztio as a “school official” with a “legitimate educational interest” under 34 CFR 99.31(a)(1).
• Education records are used solely to provide the Service and are never used for advertising or other unrelated purposes.
• No disclosure of education records to third parties except as permitted by FERPA.
• All education records are returned or destroyed upon service termination.

SOC 2 Roadmap

Neztio is committed to achieving SOC 2 Type II certification. Our underlying infrastructure on Google Cloud Platform is already SOC 1, SOC 2, and ISO 27001 certified. We are actively pursuing organizational-level SOC 2 Type II certification with a target completion in 2026. This certification will independently validate our security controls, availability, and data handling practices.

Incident Response

If you discover a security vulnerability or have a concern about data safety, please report it to us:

• Report vulnerabilities to hello@neztio.com.
• We acknowledge reports within 24 hours and triage within 72 hours.
• Affected users are notified per applicable state breach notification laws.