illumine is a SOC 2 Type II audited, GDPR-compliant childcare management platform. We handle some of the most sensitive data a family will ever share. We build, audit, and operate our systems accordingly.
illumine has completed its latest SOC 2 Type II audit conducted from June 2025 to May 2026 by an independent CPA firm.The report is available to current customers and qualified prospects on request. To request a copy, email info@myillumine.com or contact your account manager.
Read our CTO's perspective on what SOC 2 Type II means for childcare operators
We hold the certifications that childcare operators, multi-site groups, and procurement teams typically require:
- SOC 2 Type II: Independently audited against the AICPA's Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy) over an extended observation window. Most recent audit period: June 2025 to May 2026.
- GDPR: Fully compliant for customers and end-users in the EU and UK. Data processing agreements available on request.
- Google Cloud Platform: illumine runs on GCP infrastructure, which holds ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, and PCI DSS attestations.
illumine runs on Google Cloud Platform, the same infrastructure trusted by governments, healthcare networks, and financial services providers.
- Hosting regions: Static content is deployed to Google’s global edge network. Requests are automatically served from the nearest CDN edge location to the user.
- Data residency: Customer data is stored in the region selected at onboarding, with options for EU, US, and APAC hosting depending on plan.
- High availability: Multi-zone replication for durability and failover
- Encryption at rest: AES-256
- Encryption in transit: TLS 1.2 or higher across all customer endpoints
-Backups: Full daily backups with by-the-second incremental backups in between; backup integrity is tested regularly
- Multi-factor authentication is required for all illumine staff with access to production systems, and is available to all administrators, staff, and families on customer accounts
- Role-based access control (RBAC): Granular permissions ensure parents, teachers, administrators, and owners see only what's relevant to their role
- Principle of least privilege: illumine staff access to customer data is restricted to documented operational needs and logged
- Audit logs: Customer-facing access logs available for administrators to review who accessed what, and when
All customer data is encrypted at rest (AES-256) and in transit (TLS 1.2+)Production data is segregated from development and staging environmentsBackups are encrypted, geographically redundant, and routinely tested for restore integrityData is retained according to our Data Processing Agreement and deleted on request after contract termination, per regional requirementsCustomers can export their data in standard formats on request.
We treat security as an ongoing operating standard, not a one-time project. Our internal controls are reviewed continuously and form the basis of our annual SOC 2 Type II audit.
- Incident response: Documented incident response plan with defined escalation paths. We notify affected customers in line with the breach notification commitments in our DPA.
- Vulnerability management: Regular vulnerability scanning of infrastructure and applications, with prioritized remediation
- Penetration testing: Annual third-party penetration testing of the platform
- Change management: All code changes go through peer review and automated security checks before deployment
- Staff screening: Background checks for all employees with access to customer data; annual security training and code-of-conduct acknowledgment
- Vendor and subprocessor management: All subprocessors are vetted for security posture and listed in our DPA. We notify customers of material changes to our subprocessor list.
illumine is fully compliant with GDPR for EU and UK customersOur Privacy Policy describes what data we collect, why, and how it's usedStandard Contractual Clauses (SCCs) are available for cross-border data transfersCustomers act as the data controller for child and family records; illumine acts as the data processor under the terms of our DPAWe do not sell customer data, ever. We do not use child or family data to train AI models without explicit, separate customer consent.
Read our Privacy Policy Here.