Security
Last Updated: July 2026
PointWiseSystem is used by families, teachers, homeschool educators, and individuals to manage tasks, rewards, habits, and daily routines. We take our responsibility to protect that data seriously. This page describes our security practices at a high level. For detailed questions, contact security@pointwisesystem.com.
Encryption
- All data transmitted between your device and our servers is encrypted using TLS
- All data stored in our databases and file storage is encrypted at rest
- Passwords are hashed using a strong one-way algorithm and never stored in readable form
- Payment information is handled entirely by Stripe (PCI DSS Level 1 certified). We never see or store card numbers.
Infrastructure
- PointWiseSystem runs on Amazon Web Services (AWS), hosted in the United States
- We use a serverless architecture, which eliminates entire categories of server-level vulnerabilities (no OS patching, no SSH access, no persistent attack surface)
- Credentials and secrets are stored in a dedicated secrets management service with access controls
- Multi-factor authentication is required for infrastructure access
Security Testing
- Automated security scanning runs before every production deployment
- Dependency vulnerability checks run on every deploy; known vulnerabilities are patched promptly
- Static analysis scans code for common security issues (injection, XSS, insecure patterns)
- Secret detection prevents credentials from being committed to code
- External penetration testing is planned for Q4 2026
Access Controls
- Production data access follows the principle of least privilege
- No shared credentials. Each service and operator has scoped access.
- All infrastructure API calls are logged for audit purposes
- Code changes go through a quality gate before reaching production
Incident Response
We maintain a documented incident response plan. If a security incident occurs:
- Automated monitoring detects anomalies and alerts our team
- Affected systems are isolated and credentials rotated
- Affected users are notified within 72 hours of a confirmed breach, per GDPR requirements
- A post-incident review identifies root cause and prevents recurrence
Earner Data Protection
- Earners (kids, students, or personal profiles) do not create their own accounts. Account holders manage earner profiles on their behalf.
- Earner profiles contain only first names or nicknames, optional ages, and activity data (tasks, points, rewards)
- No advertising is shown on earner-facing features
- No third-party analytics or marketing scripts load on earner-facing pages
- Account holders can delete earner data at any time from their settings
Minors (COPPA / CCPA)
When PointWiseSystem is used to manage profiles for minors under 13:
- A parent, teacher, or guardian maintains the account and provides verifiable consent by creating the earner profile
- We collect only what is needed for the service to function (name, activity data). No email, phone, or location data is collected from minors.
- No behavioral advertising or interest-based profiling targets minor earner profiles
- Parents can review, modify, or delete their child's data at any time from account settings
- We do not sell or share personal information of users under 16 (California CCPA Section 1798.120)
Where Your Data Lives
All PointWiseSystem data is stored in the United States using AWS infrastructure. We do not transfer personal data to other countries. Third-party processors (Stripe for payments, Twilio for SMS) also operate within the United States.
For a full list of sub-processors, see our Subprocessors page.
Report a Vulnerability
Responsible Disclosure
If you discover a security vulnerability, please report it to:
We acknowledge reports within 48 hours, provide a fix timeline within 7 days, and do not pursue legal action against good-faith researchers.