trayvar

Security & data

Children's data deserves more care than most software gives it.

The platform handles names, addresses, school details, and movement patterns of children every day. Below is how we think about that, and what we've built so that schools and operators can trust us with it.

Operating principles

Five things we will not compromise on.

Tenant isolation

Each school and each operator runs in its own logical tenant. One operator's data is never queryable by another, even by a Trayvar engineer with database access. The isolation is enforced at the row level, not at the application layer.

Postgres row-level security (RLS) policies. CI test harness verifies isolation on every deploy.

Data residency

All operating data is stored in Supabase's EU-Central region (Frankfurt). No personal data leaves EU servers without explicit operator consent. Backup snapshots stay within the same region.

Supabase EU-Central · daily encrypted backups · 30-day retention.

Encryption in transit and at rest

Every connection to Trayvar uses TLS 1.3 with modern ciphers. Data at rest in Postgres is encrypted using AES-256. Backup snapshots are encrypted before they leave the database host.

TLS 1.3 minimum · AES-256 at rest · backup encryption keys held separately from data keys.

Child data minimisation

We hold the minimum data necessary to operate the platform: name, school, class, home location, parent contact. No medical data, no academic records, no behavioural data. The minimisation is structural - the database schema does not have columns for the data we don't collect.

PII fields restricted to name, address, parent phone, school enrolment.

Audit trail

Every change to a child's record, every route override, every parent contact change is logged with the user, timestamp, and reason. Audit logs are retained for the life of the tenant and exported to operators on request.

Append-only event log · 7-year retention · operator-exportable.

What we've committed to

Specific commitments, not security marketing.

Annual penetration test

Independent security firm conducts a full application and infrastructure penetration test annually. Findings remediated within agreed SLAs. Summary reports available to enterprise customers on request.

Vulnerability disclosure

Researchers and customers can report vulnerabilities to info@carthenaadvisory.com. We acknowledge within 24 hours and triage within 5 working days. Critical findings are remediated within 14 days.

Sub-processor list

Full list of sub-processors (hosting, email, WhatsApp, analytics) maintained and shared with operators on request. We notify operators 30 days before adding any new sub-processor that handles operating data.

Incident response

If a security incident occurs that affects an operator's data, we notify the operator within 72 hours of discovery, share what we know, and update as the investigation progresses.

Data portability

Operators can export their full tenant data - children, routes, journeys, reporting - in machine-readable CSV format at any time. No lock-in. No additional charges for export.

Right to deletion

When a tenant offboards, all operating data is hard-deleted within 30 days. Audit logs retain only the fact of deletion - no personal data persists beyond the retention period.

Honest posture

What we don't claim, yet.

Trayvar is not yet SOC 2 or ISO 27001 certified. The platform is too young to have completed the audit cycle. We follow the practices the certifications require, and we'll pursue formal certification once customer volume makes it material.

We are not yet GDPR-certified for EU residency requirements. Trayvar operates in markets where GDPR doesn't formally apply, but our default stance is to handle child data to the standards GDPR would require - even where the regulator wouldn't require it.

If your school's legal or compliance team needs a specific certification before contracting, tell us. We can sequence the audit work to your timeline.

Security questions before contracting?

We answer them directly. No security questionnaire is too long; no compliance requirement is dismissed.

Talk to us about security