1. Scope
This policy covers the DaycareLogix service and the daycarelogix.com website. For our security architecture (tenant isolation, role-based access, and the tamper-evident audit log), see the Security page and the Trust Center.
2. How to report
Email security@daycarelogix.com with a description of the issue, the affected component, steps to reproduce, your assessment of impact, and a proof-of-concept if you have one. We acknowledge reports, keep you informed as we validate and remediate, and credit researchers who want it. We do not currently run a paid bug bounty.
3. Ground rules
- Act in good faith: no privacy violations, no degrading or disrupting the service.
- Never access, download, or retain records that are not yours. If a flaw exposes real care records, stop at the minimum proof needed and report immediately. These are records about children and vulnerable adults.
- Test only against trial accounts and data you created; no automated scanning that creates significant load.
- No social engineering of our staff or our customers’ staff.
- Coordinate public disclosure timing with us; we ask for a reasonable window to remediate.
4. Safe harbor
If you follow this policy in good faith, we will not pursue legal action against you for your research. This safe harbor does not extend to actions that violate the ground rules above or to research against our customers’ systems and accounts without their authorization.
5. Machine-readable policy
This policy is referenced from /.well-known/security.txt per RFC 9116.
6. Contact
Security reports: security@daycarelogix.com · General: hello@daycarelogix.com