Kimshi Simple

Security & data protection

How we keep your families’ data safe

Kimshi Simple holds bookings, family and participant records and payment details for kids’ clubs, cafes and activity providers. Here’s where that data lives, who can reach it, and the commitments we make to you and the parents who trust you.

Where your data lives

Your data is hosted on Amazon Web Services (AWS) in the UK and EU — primary processing runs in eu-west-1 (Ireland) and eu-west-2 (London).

It is encrypted in transit with TLS, and encrypted at rest using AES-256. A limited set of supporting AWS services and our global content-delivery network may process data elsewhere; where that happens it is covered by Standard Contractual Clauses, as set out in our DPA.

Who can see it

Access is role-based. Sensitive client, staff and booking details sit behind restricted owner and admin roles, served through separate restricted endpoints rather than ordinary screens.

Access to and changes affecting sensitive records are audit-logged, so there is a traceable record of who looked at what.

Securing access to your account

Administrator access to your club’s dashboard is protected by multi-factor authentication (MFA). Admins sign in with their password plus a second factor — a code from an authenticator app, or a one-time code sent to their email — so a stolen password alone can’t reach your data. Authenticator secrets are encrypted, and email codes are time-limited and attempt-limited.

Sign-in is built on AWS Cognito, backed by further protections: CSRF defences, rate limiting to slow automated attacks, hardened security headers (CSP, HSTS), and strict validation of every submission. Sensitive client, staff and booking records sit behind additional role-based access controls, and access to them is logged.

Safeguarding and children's information

Health, allergy, medication, dietary, access and emergency details are the most sensitive information on the platform, and we treat them that way. When a parent or guardian provides them, they actively confirm a clear, versioned safeguarding agreement — and we keep an audit record of exactly what was agreed, by whom, and when, including the precise wording shown at the time.

That consent can be withdrawn at any point from the customer portal. Access to this information is restricted to authorised people who need it for a child’s safety, and every access is logged.

Your rights & our commitments

We are registered with the UK Information Commissioner’s Office (ICO) — registration no. ZC021387. Registration is a legal requirement for handling personal data, not an endorsement or certification.

We operate in line with UK GDPR, with a published Data Processing Addendum, an open list of subprocessors, support for data-subject rights, and deletion of your data within 90 days of termination.

Resilience

Data is backed up with automated recovery, and backups expire on their own lifecycle so nothing lingers indefinitely.

We monitor the platform for errors and availability, run health checks, and rely on hardened, network-isolated AWS infrastructure.

Certifications

We lead with what we actually do. Where we hold an independent certification, its mark will appear here, linked to the live certificate so you can verify it yourself.

Cyber EssentialsCertification placeholder — not yet granted. This badge appears here, linked to the live certificate, once awarded.