Legal & Policy Center

Security Practices Summary

v2.0

Effective Date: [EFFECTIVE DATE] Last Updated: [LAST UPDATED] Version: 2.0

This summary describes the security measures KidStarter uses to protect the Service, User data, and — most importantly — the safety and privacy of Students. This is a summary for transparency purposes and does not constitute a guarantee of absolute security. No system is perfectly secure.

1. Security Architecture

1.1 Encryption

  • In Transit: All data transmitted between Users and the Service is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints.
  • At Rest: Personal Data and sensitive data (including verification evidence) is encrypted at rest using AES-256 or equivalent.
  • Payment Data: Full payment card numbers are never transmitted to or stored by KidStarter. Payment processing is handled by PCI DSS Level 1 certified processors.

1.2 Access Controls

  • Role-Based Access Control (RBAC): Access to systems, data, and administrative functions is restricted based on role and the principle of least privilege.
  • Multi-Factor Authentication (MFA): Required for all administrative and moderation access.
  • Segregated Access: Verification evidence and private Student data are stored in segregated, restricted-access environments.
  • Audit Trails: All access to sensitive data and administrative actions are logged.

1.3 Infrastructure

  • Hosted on reputable, SOC 2 Type II / ISO 27001 certified cloud infrastructure providers.
  • Network segmentation and firewall rules to limit exposure.
  • DDoS protection and rate limiting.
  • Automated backups with tested restoration procedures.
  • Disaster recovery and business continuity planning.

2. Application Security

  • Secure software development lifecycle (SSDLC) practices;
  • Code reviews with security-focused checklist;
  • Dependency scanning for known vulnerabilities;
  • Input validation and output encoding to prevent injection and XSS attacks;
  • CSRF protection;
  • Content Security Policy (CSP) headers;
  • Regular security testing (see Section 4).

3. Employee and Contractor Security

  • Background checks for employees and contractors with access to sensitive data (to the extent permitted by law);
  • Mandatory security awareness training upon onboarding and annually thereafter;
  • Mandatory child safety training for all staff with access to Campaign content or Student data;
  • Confidentiality and data protection agreements;
  • Principle of least privilege applied to all personnel;
  • Prompt access revocation upon role change or departure.

4. Security Testing

  • Vulnerability Assessments: Regular automated vulnerability scanning of infrastructure and application.
  • Penetration Testing: Independent third-party penetration testing conducted at least annually, with remediation of critical and high-severity findings prioritized.
  • Continuous Monitoring: Security monitoring and alerting for anomalous activity, unauthorized access attempts, and policy violations.

5. Vulnerability Disclosure / Responsible Disclosure

KidStarter operates a responsible disclosure program. If you discover a security vulnerability in the Service, please report it responsibly:

  • Email: [SECURITY EMAIL, e.g., security@kidstarter.com]
  • Please include: a description of the vulnerability, steps to reproduce, and your contact information.
  • Do not access, modify, or delete data belonging to other Users.
  • Do not publicly disclose the vulnerability before we have had a reasonable opportunity to investigate and remediate.

We commit to:

  • Acknowledging receipt within 3 business days;
  • Providing an initial assessment within 10 business days;
  • Working in good faith to resolve confirmed vulnerabilities promptly;
  • Not taking legal action against security researchers who act in good faith and comply with this program.

[If you operate a formal bug bounty program, include the link and program details here.]

6. Incident Response

KidStarter maintains documented incident response procedures. See the Incident Response & Breach Notice Summary for details.

7. Certifications and Compliance Roadmap

Standard/CertificationStatus
PCI DSS (via payment processor)Compliant (processor-level)
SOC 2 Type II[In progress / Planned for [DATE] / Achieved]
ISO 27001[Planned / Under consideration]
GDPR ComplianceImplemented
UK GDPR / ICO Children's CodeImplemented
COPPA ComplianceImplemented (by design)

[Update this table with your actual certification status before publication.]

8. Third-Party Security

  • All third-party service providers that process Personal Data on our behalf undergo security and privacy assessments.
  • Third-party providers are bound by data processing agreements with security obligations.
  • We maintain a registry of subprocessors (see DPA).

9. Contact

Security Issues: [SECURITY EMAIL] Privacy Inquiries: [PRIVACY EMAIL] General Support: [SUPPORT EMAIL]

help.title

Getting Started
Sign Up/registerFull Guide (PDF)
Create an account at /register. Choose your role: Donor (support students), Teacher (create campaigns for students), Parent/Guardian (create campaigns for your child), Corporate Sponsor (sponsor schools and campaigns), or Charity (collect tax-exempt donations). Your role determines which dashboard features you see.
💡 Tip: Use your school email address if you have one — it speeds up organization verification later.
Onboarding Wizard/onboarding
After registration, the onboarding wizard walks you through 4 steps: select your role, link your school/organization, choose a plan (Free, Teacher, or School), and confirm. You can skip and return later.
📝 Example: A teacher at Lincoln Elementary would: 1) Select "Teacher", 2) Search "Lincoln Elementary" in the org directory, 3) Choose the Free plan, 4) Confirm and land on their Creator Dashboard.
Plans & Pricing/pricing
KidStarter offers three plans: Free (1 campaign, basic features), Teacher Starter ($5/mo — up to 10 campaigns, share kit, priority review), and School Plan ($20/mo — multi-teacher, school dashboard, bulk tools). All plans include Stripe payments and donation receipts (tax-exempt receipts for charity-backed campaigns).
📈 Benchmark: Similar platforms charge 5–8% platform fees. KidStarter charges 0% platform fee — only Stripe's standard 2.9% + $0.30 processing fee applies.
Language Switcher
KidStarter supports 8 languages: English, Portuguese, Spanish, Hungarian, French, German, Slovak, and Czech. Click the flag icon in the top navigation bar to switch. Your preference is saved in a cookie and persists across sessions.
💡 Tip: The language auto-detects from your browser settings on first visit. Override it anytime with the flag switcher.
Campaigns
Creating a Campaign/dashboard/creatorFull Guide (PDF)
Navigate to your Creator Dashboard (/dashboard/creator) and click "Create Campaign". Fill in: student first name + last initial, their story, funding goal, category (STEM, Arts, Sports, Tuition, Supplies, General), and optionally upload a hero image.
📊 Impact: New campaigns enter DRAFT status. They become publicly visible only after passing moderation review (PENDING_REVIEW → APPROVED). Rejected campaigns can be edited and resubmitted.
⚠ Watch Out: Never include a student's full name, address, or other PII in the campaign story. Our moderation team will reject campaigns with identifying information.
Campaign Status Flow
Every campaign moves through a lifecycle: DRAFT (created, not submitted) → PENDING_REVIEW (submitted, awaiting moderator) → APPROVED (live, accepting donations) → FUNDED (goal reached) → COMPLETED (funds disbursed). Campaigns can also be REJECTED (with reason) or PAUSED (temporarily hidden).
📝 Example: Maria's campaign was created on Monday (DRAFT), submitted Tuesday morning (PENDING_REVIEW), approved Tuesday afternoon (APPROVED), reached its $500 goal by Friday (FUNDED), and funds were disbursed the following week (COMPLETED).
Campaign Verification
Every campaign must be verified before going live. Upload evidence of school affiliation: enrollment letter, school ID, teacher badge, or guardian consent form. These documents are reviewed privately by the moderation team and never shown publicly.
📈 Benchmark: GoFundMe has no verification for education campaigns. DonorsChoose requires teacher accounts only. KidStarter verifies both the creator AND the student's school enrollment.
💡 Tip: Campaigns with clear, scanned documents get approved faster than blurry phone photos.
Share Kit
Each approved campaign gets a Share Kit: pre-generated images (square for social, story for Instagram/WhatsApp, QR code for print), one-click share buttons (WhatsApp, Email, X, LinkedIn, Facebook), and a copyable campaign link. The post-donation share prompt is your highest-converting tool.
📊 Impact: Campaigns that are actively shared raise 3–5x more than those that aren't. Each share can generate 2–5 additional donations on average.
💡 Tip: Share within the first 48 hours of approval for maximum momentum. Post the QR code in your school's physical spaces.
Campaign Updates
Post updates to your campaign with text and photos showing the impact of donations. Updates appear on the campaign page and notify past donors. Go to your campaign page → "Post Update" section.
💡 Tip: Post an update with a photo within 1 week of receiving funds. Donors who see impact updates are 4x more likely to donate again.
Donations
Making a DonationFull Guide (PDF)
Click "Donate Now" on any campaign. Choose a preset amount or enter a custom one (minimum $1). Enter your name (optional — leave blank for anonymous) and email (for receipt). You're redirected to Stripe's secure checkout page.
💡 Tip: You don't need an account to donate. But creating one lets you track your donation history and get tax center access.
Donation Receipt/receipt
After donating, you receive a receipt token (e.g. "abc123def"). Save this! You can look up your receipt anytime at Donors → Receipt Lookup (/receipt). The receipt shows: amount, date, campaign, and a unique token. For charity-backed campaigns, the receipt also displays the charity name, tax ID, and a "Tax-Exempt Donation" badge.
Tax Center/tax-center
The Tax Center (/tax-center) provides information about tax deductibility of donations, including FAQs about charity-backed campaigns, tax-exempt receipts, and how to use your receipt for tax claims. Donations to charity-backed campaigns generate tax-exempt receipts with the charity's name and tax registration number.
⚠ Watch Out: KidStarter provides general tax information only. We are not tax advisors. Consult a qualified professional for your specific situation.
Organizations
Organization Directory/organizations
The public directory (/organizations) lists all registered schools, nonprofits, and corporate partners. Each org shows: name, type, country, verification status, member count, and active campaigns. Users can search, filter by country, and claim membership.
Claiming an Organization
If your school or org is already in the directory, click "Claim" on its page. You'll need to verify via your institutional email address (e.g. name@lincoln-elementary.edu). Once verified, you're linked to the org and can create campaigns under it.
📝 Example: Ms. Chen searches "Lincoln Elementary", finds it in the directory, clicks Claim, enters her school email, receives a verification code, and is now linked as a member.
Admin — Discovery & Enrichment
Discovery Console/dashboard/admin/discovery
The Discovery Console (/dashboard/admin/discovery) is the admin tool for finding, scraping, and enriching organization data. Access it from the Admin Dashboard → "🔍 Discovery Console" button. It shows all organizations in a table with enrichment status.
Seed Organizations
Click "Seed Organizations" to populate the directory with sample schools and partners. This creates org entries with names, types, countries, and website URLs. Useful for initial setup or demo purposes. You can also add orgs manually via /organizations or the API.
💡 Tip: For production, import real school data via CSV or the API at POST /api/organizations instead of using the seed function.
Web Scraper / Enrichment
The enrichment engine scrapes an organization's website and extracts structured data. Click "Enrich" next to any org with a website URL. The scraper fetches the page HTML (15-second timeout) and extracts: meta description, org-level contact emails (info@, contact@, admin@ — never personal emails), social links (LinkedIn, Twitter, Facebook), and page title.
📊 Impact: Enriched organizations have more complete profiles, which builds trust with donors and helps campaigns get more visibility. Orgs with descriptions and social links get 2x more campaign views.
📝 Example: Enriching "Lincoln Elementary" (website: lincoln-elementary.edu) extracts: description from meta tag, contact@lincoln-elementary.edu from page text, LinkedIn URL from footer links, and "Lincoln Elementary School — Excellence in Education" as page title.
⚠ Watch Out: The scraper respects a 15-second timeout. If a site is slow, blocks bots, or uses heavy JavaScript rendering, the scrape may fail. Retry later or add data manually.
Enrichment Fields & Confidence
Each extracted field has a confidence score (0.0–1.0). Scores reflect extraction reliability: meta descriptions score 0.8 (reliable), emails score 0.7 (need human review), social links score 0.9 (URL pattern matching is accurate), page titles score 0.6 (may include site navigation text).
💡 Tip: Always review extracted emails before approving. Verify they belong to the actual organization, not an ad network or third-party service on the page.
Approving Enriched Fields
After scraping, review extracted fields inline. Click "Approve" to push a field to the org's public profile (description, contact email, social links). Click "Reject" to discard. Approved fields immediately update the organization's listing in the public directory.
📊 Impact: Approving a description field makes the org more discoverable in search. Approving contact emails enables the platform to send verification and notification emails to the organization.
Verifying Organizations
After enrichment, change an org's status to "Approved" to make it visible in the public directory. Unverified orgs are hidden from public view but still accessible by direct URL. Verification confirms the org is a real, legitimate institution.
📝 Example: Workflow: 1) Seed/import org with website → 2) Click Enrich → 3) Review and approve fields → 4) Change status to Approved → Org appears in public directory.
Admin — Moderation
Moderation Queue/dashboard/modFull Guide (PDF)
The moderation queue (/dashboard/mod) shows all campaigns with PENDING_REVIEW status. Moderators and Platform Admins review each campaign's story, student info, evidence documents, and funding goal before approving or rejecting.
Reviewing a Campaign
Click a campaign in the queue to see full details: student first name + last initial, story text, category, goal amount, hero image, and uploaded verification evidence. Check for: specific and verifiable need, appropriate goal amount, valid school affiliation, no PII exposed.
⚠ Watch Out: Red flags: vague or generic stories, unusually high goal amounts (>$5,000 for individual students), no school affiliation, duplicate content from other campaigns, or requests for cash rather than specific items/services.
Approve / Reject / Pause
Approve makes the campaign live and publicly visible. Reject returns it to the creator with a reason code — they can edit and resubmit. Pause temporarily hides an approved campaign (preserving data) if issues arise post-approval. All actions are logged in the audit trail.
💡 Tip: When rejecting, select a specific reason code. "Insufficient evidence" is more helpful than "Rejected" — it tells the creator exactly what to fix.
Admin — Analytics
Admin Dashboard/dashboard/adminFull Guide (PDF)
The Admin Dashboard (/dashboard/admin) shows platform-wide metrics: total raised, total donations, active campaigns, pending reviews, total users, and a 7-day donation chart. Quick actions: Discovery Console, Guides, and Finance CSV Export.
Finance CSV Export
Click "📊 Export Finance CSV" on the Admin Dashboard to download a CSV of all donations with: date, amount, donor email, campaign, status, Stripe payment ID. Useful for accounting, reconciliation, and tax reporting.
⚠ Watch Out: The export contains donor emails (PII). Handle in accordance with GDPR and your data protection policy. Do not share publicly.
Corporate Sponsorship
Sponsor Program/dashboard/sponsorFull Guide (PDF)
Corporate sponsors create programs with a budget, target regions, and categories. Programs can be: Direct Sponsorship (fund specific campaigns), School Adoption (pledge to a school), or Matching (match community donations). Managed at /dashboard/sponsor.
Adopt-a-School/dashboard/sponsor/adopt
From /dashboard/sponsor/adopt, a corporate sponsor selects a school from the org directory and pledges a funding amount. This creates a SchoolAdoption record. The sponsor can then allocate funds to specific campaigns at that school, track spending vs budget, and export impact reports.
📝 Example: TechCorp adopts Lincoln Elementary with a $10,000 annual budget. They allocate $2,500 to "Laptops for CS Lab", $1,500 to "Art Supplies Room 204", and keep $6,000 for future campaigns. The Sponsor Dashboard shows 40% allocated, 60% remaining.
Vendor Partners
Vendor Portal/dashboard/vendor
Vendor partners (meal providers, school supply companies) manage their offers at /dashboard/vendor. They create voucher codes that students can redeem at participating locations. Vouchers are funded from campaign budgets.
Meal Vouchers
Meal vouchers are codes (e.g. "LUNCH-A3F2") redeemable at vendor locations for student meals. Created by vendors, funded from campaign budgets, distributed to students. Each voucher has: amount, expiry date, student assignment, and redemption status.
📝 Example: A campaign raises $200 for student meals. The creator purchases 40 × $5 meal vouchers from FoodPartner. Each student receives a code they show at the cafeteria. The vendor marks codes as redeemed, and the dashboard shows redemption rates.
Platform Settings
Trust & Safety/trust-safety
KidStarter's trust and safety page (/trust-safety) explains: campaign verification process, PII protection, payment security (Stripe PCI-DSS), content moderation, and reporting mechanisms. Every campaign shows a "Verified" badge after passing review.
User Roles
Platform roles: DONOR (browse, donate), CREATOR_TEACHER (create campaigns, post updates), CREATOR_GUARDIAN (create campaigns for their child), ORG_SCHOOL_ADMIN (manage school-wide campaigns), CORPORATE_ADMIN (manage sponsor programs), CHARITY_ADMIN (manage charity, enable tax-exempt receipts), MODERATOR (review campaigns), PLATFORM_ADMIN (full access), FINANCE_OPS (financial exports and reporting). Roles are assigned during registration or by admins.
💡 Tip: Users can have only one role. To change a user's role, a Platform Admin must update it from the Admin Dashboard user management section.