Trust

Security, plainly.

A lot of SaaS companies use this page to wave shiny certifications. We're a small team — we'd rather tell you exactly what's true, and what isn't yet.

Last updated · April 18, 2026

What we do today

  • TLS in transit. Every byte between your browser and our servers is encrypted with TLS. The entire site is HTTPS-only — no http fallback, no mixed content.
  • Access control. Only the handful of Diplomare engineers who run the service can touch production data, and access is logged.
  • Authentication. Passwords are hashed with bcrypt. Sessions are stored server-side and expire automatically.
  • Encrypted backups. Database snapshots are encrypted before they leave the server.
  • Secrets hygiene. Credentials never live in source control. Production secrets are stored in an environment file on the host, restricted to the app user.
  • Principle of least data. We collect only what the product needs. No ad SDKs, no session replay, no third-party analytics pixels.
  • AI privacy. Our AI features use the Anthropic Claude API, which does not train on your inputs under our default configuration. We haven't opted into any training program.

What we don't claim

Because we'd rather be early-trustworthy than late-sorry:

  • We are not SOC 2 certified. That's a multi-month audit with serious cost attached, and we'll pursue it when we serve customers who require it (schools, districts, enterprise counselor offices).
  • We don't currently advertise field-level or at-rest encryption beyond backups — if that matters to your family, email us and we'll walk you through exactly what we do.
  • We're not FERPA-covered — FERPA generally applies to schools, not direct-to-parent services. We follow COPPA (children's privacy) and relevant state consumer privacy laws.

Children's privacy (COPPA)

Diplomare is designed for a parent to manage on behalf of their family. For any user under 13, we require verifiable parental consent before creating a profile. Parents can review, export, or delete their child's data at any time.

Data you control

  • Export. You can export your family's data to JSON or CSV from inside the app any time.
  • Delete. You can delete individual students or the whole account. See what goes away first with the deletion-preview screen.
  • Share links. Counselor and grandparent sharing is read-only, revokable, and optionally time-limited.

Incident response

If we discover a security incident that affects your data, we will tell you. Our commitment: notification within 72 hours of confirmation, in plain English, with concrete steps you can take. We won't bury it in a PDF.

Reporting a vulnerability

If you've found a security issue, please email us before publishing anything. We'll acknowledge within one business day, triage within a week, and keep you posted until it's fixed. We don't yet run a formal bounty program, but we happily credit reporters in our release notes.

hello@daddiorobotics.net — subject line “Security report.”

Questions we get often

“Is my kid's essay going to train some AI model?”

No. The Anthropic Claude API doesn't train on your inputs under our default configuration. We've confirmed this with Anthropic and we haven't opted in to any training program. Your student's words stay your student's words.

“Can colleges see what's in my Diplomare account?”

No. A college can only see what your student formally submits through their own admissions portal. Diplomare is a private workspace for your family.

Questions we didn't answer?

Email us — no scripted responses, just a human answer.

Email us →