There's no investor. There's no revenue yet. There's no board meeting where someone asked me to explain my security posture. It was a Saturday night and I was staring at edge functions thinking about whose data would eventually flow through them.
Parents. Parents who have already been failed by systems they were told to trust. Parents who are going to type their child's name into a tool I built — their disabled child's name, their school's name, the details of meetings where they felt small and outnumbered. That's not data. That's someone's whole world.
So I hardened the whole thing.
What I Actually Did
Every edge function that handles AI queries now has CORS locking — meaning only requests from my actual domain get through. No random script, no bad actor, no one who shouldn't be there can call these functions from somewhere else. Seven of those functions handle AI-powered features, and every single one now has rate limiting: daily caps that prevent abuse without locking out real parents who need answers.
I found a vulnerability — a place where the system could leak parent data if someone knew where to look. I killed it. Rotated the API key. Rebuilt the function. Tested it until it was clean.
Then I went through every database table. Row-level security on every one. That means even if someone somehow got past the front door, they can only see their own data. Your child's profile, your IEP documents, your complaint drafts — they're yours. Period.
Why It Matters
I've been in healthcare QA for six years. I've written test cases for EHR systems, audited COPPA compliance for children's apps, documented architecture failures in health AI platforms. I know what "secure enough" looks like in enterprise software — and I know what it looks like when companies cut corners because nobody's watching.
Nobody's watching me either. There's no compliance officer standing over my shoulder. There's no SOC 2 audit scheduled. I did this because it's the right thing to do, and because the parents who will use this tool have already been let down by enough systems that promised to keep their kids safe.
"Understanding someone's suffering is the best gift you can give another person."
— Thich Nhat HanhThat quote broke through a wall of writer's block this week. I'd been sitting at my desk trying to figure out what to say about this platform, how to explain it, how to talk about what I built. And then it hit me — that IS the mission. Not the code. Not the edge functions. Not the legal citations. Understanding suffering. The parents who are going to use these tools have been suffering in IEP meetings, in hallways, in phone calls where someone told them their child was fine when their child was not fine. Understanding that — really understanding it — is why the security matters. It's why every detail matters.
Building Alone Doesn't Mean Building Sloppy
I'm a one-person team. I'm building this from my teal home office while my three-year-old draws on herself with markers and my son does homeschool lessons down the hall. I'm funding it from QA freelance work and testing gigs. The LLC isn't even filed yet.
But I refuse to cut corners on the thing that matters most: trust.
If a parent types their child's name into my tool, they're trusting me. If they upload an IEP document, they're trusting me. If they draft a complaint letter using my generator, they're trusting me with the hardest fight of their parenting life.
I will not betray that trust because I was too tired or too solo or too underfunded to do it right.
This isn't a startup story about growth metrics and burn rate. This is a mom who's been in those rooms, who's watched a school strip her son's supports in three weeks, who homeschooled her way out of a broken system and then started building tools so other parents wouldn't have to do it alone.
The security hardening was the easy part. The hard part was every meeting before it.