Handle With Care Portal

SECURITY OVERVIEW

Last updated July 12, 2026

This page describes how Cubic Insights LLC ("we," "us," or "our") secures Handle With Care Portal, available at https://www.handlewithcare.app(the "Services"). It is written to be specific about what we actually do. If anything here is unclear, or you need more detail for a security review, email us at support@handlewithcare.app and you will get a direct answer.

OUR APPROACH

Handle With Care Portal exists to route notices about children who may have been exposed to traumatic events to the schools that can support them. Information about children is the baseline threat model for every design decision, not an edge case. We do not currently hold a third-party certification or attestation (such as SOC 2 or ISO 27001); we would rather tell you that plainly than imply otherwise.

The Services are not intended to receive or store Protected Health Information or medical records. Notices must not include medical, diagnostic, or treatment information, and the notice form by design collects no incident details.

DATA MINIMIZATION BY DESIGN

The most effective way to protect sensitive data is not to hold it in the first place. Two product decisions follow directly from that:

  • No incident narratives.A notice records that a child may have been exposed to a traumatic event — the child's name, age, gender, school, and incident date — and, by design, nothing about what happened. The notice form has no description field, so incident details, medical information, and case narratives are never collected or stored.
  • Automatic de-identification of resolved notices.When a notice is resolved, the child's name, age, and gender are automatically removed from the record and replaced with a one-way cryptographic hash used solely to detect duplicate submissions. Identifiable information exists in a notice only for as long as it is needed to route support.

DATA PROTECTION

  • Encryption in transit. All connections to the Services are encrypted with TLS (HTTPS).
  • Encryption at rest. Data is stored encrypted at rest in our database and file storage infrastructure.
  • US hosting. The Services are hosted in the United States on Vercel, with data stored in a managed PostgreSQL database operated by Supabase in US regions.
  • State-level tenant isolation.Each state program is a separate tenant, and isolation is enforced in our request middleware: a user's requests are scoped to their own state, and users in one state program cannot access another state's data.
  • Role-based access hierarchy.Within a state, access follows the program hierarchy — state, county, district, and school — so administrators see only the notices and records within their assigned scope.

APPLICATION SECURITY

  • Authentication. Accounts are invite-only; there is no self-serve signup. Sign-in is via email and password (with a 12-character minimum password length), emailed magic links, or emailed one-time codes. Passwords are stored hashed, never in plain text.
  • Audit logging.The Services maintain audit logs of significant events — including notice creation, assignment, resolution, and deletion, user invitations and deactivations, and bulk data operations — and program administrators can review this activity log directly in the application.
  • Least-privilege internal access. Internal access to production systems and data is restricted to what is needed to operate and support the Services.
  • Development practices. Every deployment passes automated type checks at build time, we maintain automated unit and end-to-end test suites that we run against changes, and we keep third-party dependencies up to date.

AVAILABILITY AND BACKUPS

Our managed database infrastructure performs automated backups, and we maintain recovery procedures so that we can restore service and data if something goes wrong. We monitor the Services for errors and availability issues. We do not publish uptime percentages or contractual recovery-time guarantees on this page; if your program needs contractual availability commitments, contact us at support@handlewithcare.app.

INCIDENT RESPONSE

We monitor the Services with error tracking and internal alerting so problems surface quickly. If we confirm a security incident affecting your data, we will notify affected Program Sponsors and, where appropriate, participating institutions and account holders without undue delay, consistent with applicable law and the terms of the applicable program agreements. Notifications will describe what happened, what data was involved, and what we are doing about it.

SUBPROCESSORS

We use a small, deliberately short list of third-party service providers to run the Services, and we bind them to data-protection obligations consistent with our Privacy Policy. The current list, including what each provider does and what data it handles, is published at /subprocessors.

RESPONSIBLE DISCLOSURE

If you believe you have found a security vulnerability in the Services, please report it to support@handlewithcare.appwith enough detail for us to reproduce the issue. We will acknowledge your report, investigate, and remediate confirmed issues promptly. We welcome good-faith security research, and we will not pursue legal action over research that meets all of the following conditions: the research is conducted solely to identify a vulnerability and report it to us; it does not access, modify, or destroy other users' data and does not degrade the Services; you give us a reasonable opportunity to remediate before any public disclosure; and you do not retain, use, or disclose any data or non-public information obtained in the course of the research.

This safe harbor applies only to good-faith security research as described above. It does not authorize competitive analysis, reverse engineering for any purpose other than identifying a vulnerability to report to us, or any use of the Services, their content, or research findings for competitive purposes, and it does not waive any of our rights under our Terms of Service or Responsible Use Policy. We do not currently operate a paid bug bounty program.

QUESTIONS

Security questionnaires, procurement reviews, and any other questions about this page can be sent to support@handlewithcare.app.