Security & Compliance

📅 Last Updated: June 5, 2026 · Version 1.0 · Suoja Inc.

🛡️

COPPA Aligned

Children's Online Privacy Protection Act

Suoja is purpose-built for child protection. We do not collect personal information directly from children under 13. All child profiles are created and managed exclusively by verified parents or legal guardians.

No direct data collection from children under 13
Parental consent required for all child profiles
Guardian-only access to child incident data
Right to delete child data at any time
No behavioral advertising targeting minors

🏥

HIPAA Awareness

Health Insurance Portability & Accountability Act

Suoja does not collect, store, or process Protected Health Information (PHI) as defined under HIPAA. For healthcare organizations interested in deploying Suoja for staff or patient-facing AI monitoring, a BAA framework is in preparation.

No PHI collected by default
BAA framework in preparation — available to healthcare organizations following Suoja Inc. incorporation completion
Minimum necessary data principle applied

🏫

FERPA Alignment

Family Educational Rights & Privacy Act

Suoja is designed to support FERPA compliance for schools that deploy it. Schools interested in a pilot deployment can contact us at compliance@suoja.tech to discuss data handling requirements.

Student data not shared with third parties for commercial purposes
School-controlled data access and permissions
Parental access to student incident records
Data deletion on student unenrollment
Compatible with existing school IT policies

📋

Vendor Risk Ready

Enterprise & Government Procurement

Suoja is designed to meet the security requirements of enterprise vendor risk assessments, including those required by school districts, hospitals, and government agencies.

Security documentation available on request
Data processing agreements (DPA) available
Subprocessor list maintained and disclosed
Penetration testing roadmap in place
Incident response plan documented

Technical Controls

Security Architecture

Suoja implements multiple layers of technical security controls aligned with NIST Cybersecurity Framework guidelines.

Control Area	Implementation	Status
Data Encryption in Transit	TLS 1.2/1.3 enforced on all endpoints via HTTPS. No unencrypted HTTP connections permitted.	✓ Implemented
Password Security	Passwords hashed using bcrypt with salt rounds. Plain-text passwords never stored or logged.	✓ Implemented
Authentication	JSON Web Tokens (JWT) with 7-day expiry. Tokens signed with server-side secret. Role-based access control (RBAC) for admin, guardian, and user roles.	✓ Implemented
API Rate Limiting	100 requests per minute per IP address. Prevents brute-force and denial-of-service attacks.	✓ Implemented
CORS Policy	Strict origin allowlist. Only suoja.tech, app.suoja.tech, and admin.suoja.tech permitted. Extension origins validated separately.	✓ Implemented
Data Storage	Persistent encrypted storage on Render infrastructure. Data stored in the United States.	✓ Implemented
Extension Security	Manifest V3 compliance. Minimum permissions model. No keylogging or screenshot capture. Content Security Policy enforced.	✓ Implemented
Admin Access Controls	Separate admin authentication layer. Admin credentials not shared with user accounts. Admin actions logged.	✓ Implemented
Email Verification	6-digit time-limited verification codes (15-minute expiry) required before account activation.	✓ Implemented

Data Practices

What We Collect and Why

Minimum Necessary Principle: Suoja collects only the data required to deliver AI safety protection. We do not build behavioral profiles, sell data, or use data for advertising purposes.

Data Type	Purpose	Retention
Account credentials	Authentication and account management	Until account deletion
Incident records	Guardian alerts and dashboard reporting	12 months, then auto-deleted
Child profile data	Linking child devices to guardian accounts	Until guardian removes child profile
Content snippets	Evidence for guardian review of flagged content	12 months with incident record
Server logs	Security monitoring and debugging	90 days

Data Location: All data is stored and processed in the United States on Render's infrastructure hosted on AWS US-East.

Subprocessors: Twilio (SMS infrastructure — pending carrier approval; not currently processing user data), SendGrid (email), Anthropic (admin-side pattern modeling only — Claude is used by the Suoja team to identify emerging harm patterns from aggregated incident data; not involved in real-time user content analysis), Render (hosting). A complete subprocessor list is available upon request.

Industry Context

Operating in a Legitimate Safety Category

Suoja operates in the same legal and regulatory framework as established child safety and parental control companies including Bark Technologies, Qustodio, Circle, and Net Nanny — all of which are used by millions of families and thousands of schools nationwide.

      The legal basis for Suoja's monitoring: Parents and legal guardians have the legal right and authority to monitor their minor children's online activity, including AI platform usage. This is supported by COPPA, which requires parental consent for data collection involving children under 13, and by common law parental authority over minors.
    

For schools, Suoja operates under the "school official" exception to FERPA, allowing educational institutions to monitor student AI usage on school devices with appropriate disclosure in their Acceptable Use Policies.

For healthcare organizations, Suoja can operate under a Business Associate Agreement (BAA) where staff AI monitoring is required for compliance purposes.

Incident Response

Security Incident Response Plan

In the event of a security incident, Suoja follows a structured response process:

Detection & Containment — Identify and isolate the affected systems within 4 hours of confirmed incident
Assessment — Determine scope, affected data, and users impacted within 24 hours
Notification — Notify affected users within 72 hours as required by applicable law
Remediation — Patch vulnerabilities, rotate credentials, and implement additional controls
Post-Incident Review — Document lessons learned and update security controls

Breach Notification: In the event of a data breach involving personal information, Suoja will notify affected users and applicable regulatory authorities in accordance with applicable state and federal breach notification laws, including within 72 hours where required.

🔍 Responsible Disclosure Program

We welcome security researchers who responsibly disclose vulnerabilities. If you discover a security issue in the Suoja platform, please follow our responsible disclosure process.

01 Email your findings to security@suoja.tech

02 Include steps to reproduce and impact assessment

03 Allow 90 days for remediation before public disclosure

04 Receive acknowledgment within 48 hours

We do not pursue legal action against researchers who follow this process in good faith.

security@suoja.tech

Vendor Risk Assessment

Documentation Available to Procurement Teams

For schools, hospitals, enterprises, and government agencies conducting vendor risk assessments, the following documentation is available upon request:

Data Processing Agreement (DPA)
Business Associate Agreement (BAA) for HIPAA-covered entities
Subprocessor list with data processing locations
Security controls questionnaire (SIG Lite / CAIQ compatible)
Penetration testing summary (available Q3 2026)
SOC 2 Type II roadmap (target Q4 2026)
Privacy Impact Assessment (PIA) template
Incident response plan summary

To request any of these documents or to schedule a security review call, contact our compliance team.

Security Issues

security@suoja.tech

Compliance & Legal

legal@suoja.tech

Vendor Risk & DPA

compliance@suoja.tech