Security & Privacy

Your family's safety starts with how we handle your data. Here's our approach.

Infrastructure Isolation

Every QuietKite service runs on its own dedicated server instance. Your password vault, VPN tunnel, and main application never share infrastructure. Each instance has its own SSH keys, firewall rules, database, and SSL certificates.

If one service is compromised, the others remain completely isolated. This architecture exceeds COPPA's data security requirements and is designed for SOC 2 Type II readiness.

Encryption Standards

Vault: AES-256 end-to-end encryption. Zero-knowledge architecture — we cannot access your passwords.

VPN: WireGuard protocol with ChaCha20 encryption and Curve25519 key exchange. All traffic encrypted.

In Transit: TLS 1.3 on all HTTPS connections. HSTS enforced. Certificate transparency monitored.

At Rest: Encrypted backups pushed daily to isolated S3 storage with server-side encryption (SSE-S3).

Zero-Log VPN Policy

Our VPN server stores absolutely no user activity data:

  • No browsing history or traffic data
  • No connection timestamps
  • No source or destination IP addresses
  • No DNS queries
  • No bandwidth usage tracking
  • No child data of any kind

System logs are purged hourly. WireGuard kernel logging is disabled. Only public keys and internal IP assignments are retained for tunnel authentication.

COPPA 2026 Compliance

QuietKite is fully compliant with the FTC's amended COPPA Rule (effective June 23, 2025, compliance deadline April 22, 2026):

  • Verifiable parental consent required before any child data collection
  • Separate consent for third-party disclosures (we have none — no ads, no data sharing)
  • Written information security program with designated security coordinator
  • Data retention policy: retain only what is necessary, delete when purpose is fulfilled
  • Expanded personal information definition coverage (biometrics, device IDs, geolocation)
  • Parent dashboard for reviewing, deleting, or refusing further data use
  • Annual risk assessments and regular security testing

GDPR & International Compliance

For EU families, QuietKite complies with GDPR Article 8 (GDPR-K) requirements:

  • Age verification before data collection from minors under 16 (or lower per member state)
  • Parental consent verification using reasonable methods
  • Right to access, rectify, erase, and port personal data
  • Privacy-by-default settings for all child accounts
  • Clear, child-friendly privacy notices in plain language
  • Data protection impact assessments for high-risk processing