๐Ÿ” Cybersecurity

How Secure Is Your Childcare App? A Vendor Vetting Guide for Directors

Your parent-communication app holds children's photos, medical notes, and every family's contact details. Here's how to make sure the vendor behind it deserves that trust.

By Eshan de Silva ยท ยท 9 min read

When security researchers found a misconfigured database belonging to LineLeader โ€” a CRM platform used by preschools and daycare centers โ€” it was sitting on the open internet with no password, exposing roughly 140,000 records of parents and children. No sophisticated hack, no ransomware gang. Just a database someone forgot to lock. That story should change how every childcare director thinks about the apps their center depends on: the question isn't whether these tools are convenient. It's whether the company behind them treats your families' data with the care you would.

This guide walks through what your childcare apps actually hold, what tends to go wrong, the questions to put to any vendor before you sign, and the settings you control on your own side. It's written for directors, not IT people โ€” no jargon required.

Quick note: This article is general guidance, not legal advice. Privacy and breach-notification rules change and every center's situation is different โ€” confirm specifics with your attorney or licensing analyst before making decisions.

What your childcare apps actually know

Add up everything flowing through a typical parent-communication or center-management platform and it's startling: children's full names, birthdates, and daily photos; allergy and medication notes; nap and feeding logs; parents' phone numbers, home addresses, and work schedules; authorized-pickup lists; sometimes tuition payment details. A single account often contains enough information to know exactly where a specific child will be, at what time, and who is allowed to collect them.

That's why childcare data is uniquely sensitive โ€” and why independent researchers who have analyzed daycare apps keep raising the same concerns: apps requesting more device permissions than they need, and sharing user and device data with third-party analytics and advertising services that never appear in the privacy policy. The vendor's marketing page will always say "security is our top priority." Your job is to check.

How childcare app data actually leaks

Three patterns cover most real-world incidents:

  • Vendor misconfiguration. The LineLeader exposure โ€” reported by Cybernews โ€” was an unsecured database, one of the most common causes of data leaks anywhere. You can't prevent a vendor's mistakes, but you can choose vendors who submit to independent security audits.
  • Quiet third-party sharing. Some apps embed trackers that send usage and device data to analytics or ad companies. It's rarely disclosed plainly. For apps used around children's data, that's a red flag worth asking about directly.
  • Account takeover on your side. The most common breach at small centers isn't the vendor at all โ€” it's a staff password reused from another site, phished, or shared on a sticky note. If one login opens every child's record, one stolen password is a full breach.

Eight questions to ask before you sign (or renew)

Send these to the vendor in writing โ€” sales email is fine. A trustworthy company answers all eight quickly and specifically. Vague answers, or "I'll have to check with engineering" followed by silence, tell you what you need to know.

  • 1. Is our data encrypted in transit and at rest? Both matter. "Yes, AES-256 at rest and TLS in transit" is the answer you're looking for.
  • 2. Do you support multi-factor authentication for staff accounts? If the platform can't do MFA in 2026, keep shopping.
  • 3. Are you COPPA-compliant, and will you sign a data processing agreement? The FTC's children's privacy guidance is clear that services collecting kids' data carry real obligations. Our COPPA guide for childcare apps covers what compliance looks like from your side.
  • 4. What third parties receive our data โ€” including analytics and advertising trackers? The honest answer is a specific list. "We don't share data" with no detail is a non-answer.
  • 5. How fast will you notify us if you have a breach? Get a committed timeframe in writing. Days, not "as required by law."
  • 6. Can we export our data and have it permanently deleted if we leave? You should never be held hostage by a platform โ€” and old data sitting on a former vendor's servers is pure liability.
  • 7. Have you had an independent security audit, such as SOC 2? Small vendors may not have one โ€” that's not automatically disqualifying, but it shifts more burden onto the other seven answers.
  • 8. Who at your company can access our records, and how is that controlled? The right answer: almost no one, only with logging and approvals.
Already using an app you never vetted? Send the same eight questions to your current vendor before renewal. Their answers become leverage โ€” either confidence that you chose well, or grounds to negotiate, demand fixes, or switch.

The settings you control (and most centers get wrong)

Even a well-secured platform can be undone by how it's set up at your center. These four fixes take an afternoon:

  • One login per person โ€” never shared. A shared "frontdesk" account means no accountability and no way to cut off access when someone leaves.
  • Turn on MFA for every staff account. It blocks the vast majority of automated account-takeover attacks and usually takes minutes per person.
  • Match access to roles. An aide who logs diaper changes doesn't need billing data or the full family directory. Use the permission tiers your platform already offers.
  • Remove departed staff the same day. Ex-employee accounts with live access to children's records are one of the most common โ€” and most avoidable โ€” gaps we find in center audits.

This same logic applies to every system that touches family data, not just the parent app. Your front-door sign-in is a good example: a paper sheet on a clipboard exposes every family's information to anyone in the lobby, while a purpose-built digital system like SenLobby.ai keeps check-in records private, access-controlled, and audit-ready. And if configuring MFA, permissions, and offboarding across all your platforms sounds like one more job you don't have time for, that's precisely the kind of thing EDCON's managed IT services handle quietly in the background for centers across Los Angeles, Oxnard, Ventura, and Azusa.

If your vendor gets breached anyway

No amount of vetting reduces the risk to zero. If you learn your app vendor has had an incident: get the facts in writing (what data, whose records, what timeframe), reset every staff password and confirm MFA is on, and talk to an attorney about California's breach-notification requirements. Even when the legal notification duty falls on the vendor, your families will expect to hear from you โ€” early, plainly, and with concrete next steps. A calm, honest message protects trust far better than silence. For the fuller playbook, see our guide on what to do when your business gets hacked.

The bigger picture: your center's compliance footprint is the sum of every tool you adopt. Vetting vendors is one leg of it โ€” the others are your own records practices and security controls, covered in our childcare data privacy and Title 22 guide.

Common questions from childcare directors

Are daycare and childcare apps safe to use?

Most established platforms take security seriously, but safety varies widely between vendors โ€” and depends heavily on how your center configures the app. Researchers have found daycare apps sharing data with undisclosed third-party trackers, and one childcare CRM's misconfigured database exposed roughly 140,000 parent and child records. Vet the vendor with direct questions, then lock down your own settings: unique logins, MFA, and role-based access.

What security questions should I ask a childcare software vendor?

At minimum: Is data encrypted in transit and at rest? Do you support MFA? Are you COPPA-compliant, and will you sign a data processing agreement? What third parties receive our data? How quickly will you notify us of a breach? Can we export and permanently delete our data if we leave? Has the platform had an independent audit like SOC 2? Good vendors answer all of these clearly, in writing.

What should we do if our app vendor has a data breach?

Get the facts in writing from the vendor, reset all staff passwords, and confirm MFA is enabled. California's breach-notification law may require notifying affected families โ€” and even when that duty falls on the vendor, parents will expect to hear from you first. Communicate early and plainly, and consult an attorney about your specific obligations.

Do childcare apps have to comply with COPPA?

Often yes. COPPA covers online services that collect personal information from children under 13 โ€” which includes most apps storing children's names, photos, or activity records. The vendor is usually the COPPA "operator," but your center is responsible for choosing compliant vendors and ensuring required parental consent is in place.

Want a second pair of eyes on your apps?

EDCON helps California childcare centers vet their software vendors, lock down staff accounts with MFA and role-based access, and stay ready for whatever a licensing visit โ€” or a vendor breach โ€” throws at them. Book a free 30-minute consultation and we'll review the apps you use today, flag any gaps, and give you a clear, no-pressure plan.

Book a Free Consultation