Security at CoParent Console

If you've found a security issue in CoParent Console, please email security@coparentconsole.com with the subject line "Security report". Please give us time to investigate and remediate before any public disclosure — we'll keep you in the loop the whole way.

Our machine-readable contact information is published at /.well-known/security.txt following RFC 9116.

• We acknowledge new reports within 2 business days.
• We aim to triage and provide an initial assessment within 5 business days.
• High-severity issues are fixed and deployed as a priority; expected timelines are shared with the reporter.
• We do not currently run a paid bug-bounty programme but we always credit researchers who request acknowledgment.

CoParent Console holds household records for separated and divorced parents: messages, calendar events, expense ledgers, maintenance schedules, journal entries, document uploads, child profiles, and mediator/solicitor access grants. We treat all of these as sensitive personal data.

In scope for vulnerability reports:

• The production application at app.coparentconsole.com and our marketing site at coparentconsole.com.
• The CoParent Console API.
• Authentication, session management, and access control (including the third-party / mediator grant flow).
• Data-handling endpoints — anything that reads, writes, exports, or shares user records.

Out of scope:

• Denial-of-service or rate-limit research that affects other customers.
• Findings that depend on root-level device compromise, stolen credentials, or social engineering of our staff.
• Issues in third-party services we integrate with (Stripe, Resend, Cloudflare Turnstile) — please report those upstream.
• Findings in preview / staging URLs (e.g. *.preview.emergentagent.com).

All traffic to and from CoParent Console is encrypted in transit with TLS. Stored data sits on managed infrastructure with encryption at rest enabled by default.

Backups run automatically and are encrypted. We retain personal data only as long as it serves the purposes set out in our Privacy Policy or as required by law.

• Passwords are hashed with a modern adaptive hash (bcrypt). We never store passwords in plain text.
• Sessions ride in an HttpOnly, Secure, SameSite=Lax cookie. JavaScript cannot read the session token, so cross-site scripting cannot exfiltrate it.
• State-changing requests are protected by a double-submit CSRF token with timing-safe comparison.
• Cross-origin requests are restricted to an explicit allow-list of our own domains — no wildcards with credentials.
• Optional two-factor authentication (TOTP) is available for any account; we strongly encourage it for users who share their device or have a high-conflict co-parent.
• Sessions can be reviewed and revoked individually from Settings → Security.
• Sign-up and password reset are gated by Cloudflare Turnstile to deter credential-stuffing.

• Your CoParent Console password — including in any email, chat, or phone call.
• Remote access to your device.
• Sensitive financial details outside our Stripe payment flow (Stripe handles card data; we never see it).
• One-time codes generated by your authenticator app or sent to you by us.

If anyone claiming to be from CoParent Console asks for any of the above, please ignore the message and report it to security@coparentconsole.com.

We greatly appreciate the work of security researchers. To keep our users safe while we investigate, please:

• Give us a reasonable period (typically 90 days) to remediate before any public disclosure.
• Avoid accessing, modifying, or destroying user data — confirm impact with the minimum interaction needed.
• Never run automated tooling that floods the service or could affect another customer's account.
• If you accidentally access data that isn't yours, stop immediately and let us know.

In exchange, we commit to acting in good faith: keeping you informed, crediting your work when you want us to, and never taking legal action against researchers who follow these guidelines.

CoParent Console is operated from Ireland and processes personal data under the EU GDPR and the Irish Data Protection Acts 2018. Our handling, subject rights, and breach-response procedures are documented in the Privacy Policy.

We are happy to share additional security documentation (architecture diagrams, sub-processor list, breach-response playbook) with B2B prospects who request it as part of vendor due-diligence. Please get in touch at security@coparentconsole.com and we'll route it to the right person.