Skip to main content
Trust & security

Trust, security and compliance

Schools entrust KiwiBee with data about teachers, students and families. This page explains how we protect it.

Last updated: 2026-05-23

Security overview

Every response from kiwibee.io ships with the following protections out of the box.

  • HSTS preload

    Strict-Transport-Security with preload directive. Browsers only ever connect to KiwiBee over HTTPS.

  • Cross-origin isolation

    Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Resource-Policy: same-origin block cross-window attacks.

  • Permissions Policy

    Camera, microphone, geolocation, payment, USB and interest-cohort APIs are all blocked at the browser level.

  • Clickjacking protection

    X-Frame-Options: SAMEORIGIN prevents external sites from embedding KiwiBee in an iframe.

  • MIME-type pinning

    X-Content-Type-Options: nosniff stops browsers from guessing content types.

  • Referrer policy

    Referrer-Policy: strict-origin-when-cross-origin minimizes data leaked to third-party domains.

  • Content Security Policy

    CSP is enforced via middleware with per-request nonces — no inline script can execute without an explicit nonce.

Compliance roadmap

Where we stand on each major framework today.

  • SOC 2 Type I

    Audit in flight with target completion in Q4 2026.

    In progress

  • GDPR

    GDPR Data Processing Addendum (DPA) available on request for EU customers.

    Available

  • FERPA

    FERPA-aligned data handling for US school customers; we act as a school official under the audited contractor exception.

    Aligned

  • COPPA

    COPPA-compliant data minimization for students under 13; parent / school consent flows enforced.

    Compliant

  • Vietnam Decree 13/2023

    Aligned with Vietnam's Personal Data Protection Decree, including data subject rights and breach notification.

    Compliant

Sub-processors

The third-party providers we use to deliver the service.

ProviderPurposeRegion
VercelWeb hosting & edge networkGlobal edge
SupabaseDatabase & authenticationSingapore
AnthropicAI for the kiwibee.io chatbotUS
MistralAI for teacher tools (worksheet generation)EU
GoogleWorkspace email & AnalyticsGlobal

Data residency

Where customer data lives at rest.

Default region

Singapore (Supabase Asia-Southeast region)

Enterprise options

EU and US data residency available on request for enterprise school customers.

Vulnerability disclosure

Found a security issue? We'd love to hear from you.

Email:security@kiwibee.io
Acknowledgement

Within 24 hours

Initial response

Within 7 days

Coordinated disclosure

90 days from initial report

Related policies

Other documents that shape how KiwiBee handles data.

Privacy policy

What we collect, why, and how to manage your preferences.

Terms of service

The agreement that governs use of the platform.

Accessibility

Our WCAG 2.2 conformance statement and contact details.

Need our SOC 2 letter, DPA or sub-processor list?

Procurement, security or DPO teams can reach our team directly for evidence packs and questionnaires.

Contact securityTalk to sales