Your family’s information is precious. Every product decision begins with a single question: Does this keep our members’ data safe and private? Below is a high‑level overview of the safeguards we have in place today and the commitments we’re making for the future—nothing more, nothing less.

Data Protection & Encryption

• Data at rest – All customer data—documents, profiles, session history—is encrypted with AES‑256.

• Data in transit – Every connection uses TLS 1.2+ with automatic certificate rotation.

• Secure video sessions — Coaching calls run on WebRTC with end‑to‑end encryption on peer‑to‑peer calls and hop‑by‑hop encryption through our media servers for larger groups. With your explicit consent, sessions may be recorded for later review; recordings are encrypted at rest and visible only to you and your coach, and you may request deletion at any time.

• Key management – Encryption keys and application secrets are stored in a dedicated secrets manager, rotated on a fixed schedule, and never committed to source control.

Application & Infrastructure Security

• Environment isolation – Production, staging, and developer environments are completely separated. Engineers work in dev environments and do not manipulate live customer data.

• Secure release pipeline – All code changes pass automated tests, static analysis, and peer review before promotion through staging to production.

• Hardened cloud hosting – Workloads run on fault‑tolerant infrastructure with built‑in redundancy, firewalling, and DDoS mitigation.

• Continuous monitoring – Real‑time metrics and alerts enable rapid investigation of unusual activity.

Authentication & Access Control

• Single Sign‑On – Members log in with either a strong password or their existing Google / Microsoft credentials.

• Session security – Inactive sessions time‑out automatically; any sign of token misuse triggers immediate revocation.

• Least privilege – Internally, we enforce just‑enough access. Only a small, authorized group can reach production systems, and every access is logged.

Privacy & Data Ownership

Your information will never be sold or shared without explicit consent. If you choose to leave Total Family, you can request permanent deletion; live records are removed promptly and associated backups are purged within our standard retention window.

We comply with applicable U.S. privacy regulations (e.g., CCPA) and follow GDPR‑aligned practices for data minimization, purpose limitation, and subject‑access requests.

Looking Ahead

Our infrastructure providers already maintain certifications such as SOC 2 Type II and ISO 27001. As Total Family grows, we intend to pursue an independent SOC 2 audit and other attestations appropriate to our scale.

Business Continuity & Disaster Recovery

Automated, encrypted backups are taken regularly and replicated across multiple regions to help ensure data durability. Recovery procedures are documented and continually improved as our platform evolves.

Vulnerability Management & Responsible Disclosure

Dependencies are scanned daily, critical patches are applied quickly, and we engage third‑party penetration testers on a regular cadence. Security researchers can email hello@totalfamily.io; we triage every report promptly and provide safe‑harbor protection for good‑faith research.

Learn more

For additional details about how we collect, use, and retain personal data, please review our Privacy Policy and Terms of Service.

Questions?

Security is a conversation, not a checkbox. Reach us anytime at hello@totalfamily.io—we’re here to help.