What the service holds
A care program running on DaycareLogix stores enrollment and family records, attendance, daily care documentation, medication administration records, CACFP meal counts and claims, billing, and staff records. That mix of children’s records, health-adjacent data, and money is why security here is architectural, not aspirational. Every claim below is about how the system is constructed, and the ones about certification are verifiable at the registry we link.
Certifications & assessments
We document our security posture in the open, through the Cloud Security Alliance’s public registry, verifiable at the source rather than taken on our word:
- CSA STAR Registry: EvolvLabs, LLC. Our company is listed on the Cloud Security Alliance’s STAR Registry with Level 1 self-assessments: a CAIQ (Consensus Assessments Initiative Questionnaire) against the Cloud Controls Matrix, and an AI-CAIQ against the AI Controls Matrix.
- DaycareLogix-specific CAIQ. A CAIQ self-assessment scoped to the DaycareLogix service is being prepared for the same registry entry.
Need a security package, questionnaire answers, or architecture detail for a procurement review? Email security@daycarelogix.com. We answer CAIQ-style questionnaires directly.
How the product is built
These controls are described in more depth on the Security page; they are construction decisions, not configuration options.
- Strict tenant isolation. Global query filters scope every record to its tenant; background jobs and the check-in kiosk pass explicit tenant and facility scope, never an ambient default.
- Role-based access control. Six roles (owner, facility director, CACFP coordinator, classroom staff, auditor, family) enforced by server-side authorization policies in the API and command handlers. Access is never the client’s decision.
- Tamper-evident audit log. Every auditable change emits an append-only entry with hashed before/after state, so the history shown to an auditor cannot be quietly rewritten.
- Sensitive-field gating. Classifications such as CACFP eligibility category and income basis render only for roles holding the permission, and are masked for everyone else.
- Server-authoritative enforcement. Locks, permissions, and masking are enforced server-side; the UI only reflects them. A locked claim stays locked no matter what a browser does.
- Accessibility as a control. WCAG 2.1 AA contrast and semantics throughout. State is never encoded by color alone.
Framework alignment
Where our controls map to the frameworks buyers ask about, each one built into the product’s design.
| Framework | Where we align today |
|---|---|
| SOC 2 | Access control, tenant isolation, append-only audit logging, change traceability. |
| ISO 27001 | Role-based access, least-privilege defaults, server-side authorization, logging. |
| HIPAA | Access controls, audit trails, and field-level masking relevant to health-adjacent records. Covered entities: contact us about a BAA before storing PHI. |
| CACFP / state licensing | Point-of-service capture, meal-pattern validation, claim locking, and sponsor review, built for the audit, not retrofitted. |
| GDPR / CCPA | Customer-as-controller model: programs own their records; we process only to provide the service. See the Privacy Policy. |
Shared responsibility
Security of a care program on DaycareLogix is a partnership. The split:
- EvolvLabs owns: application security and architecture, tenant isolation, access-control enforcement, audit-log integrity, vulnerability response (see Responsible Disclosure), and the security of our corporate systems.
- Your program owns: who gets which role and deactivating departed staff, the consents and accuracy of the records you enter, the devices and networks your staff use, and your obligations to licensors, sponsors, and families.
Website infrastructure
This marketing website is a static site served by Cloudflare with TLS everywhere; it holds no care records and accepts none. The service is operated separately from the website, and access to production systems is restricted to authorized EvolvLabs personnel.
Questions
Security reviews and questionnaires: security@daycarelogix.com · Everything else: hello@daycarelogix.com