This page is maintained by the REBUILT OS team to answer common security, privacy, and compliance questions from public-sector partners. It describes controls that are enabled in the platform today and is not an independent certification.
Every table is protected by policies scoped to the signed-in user and their role. Data is not returned unless the caller is authorized.
Roles (participant, mentor, family, court, employer, admin) grant only the minimum data each role needs to do their job.
Participants control what family, employers, and courts can see, with versioned consents and timestamps.
Sensitive reads, writes, and administrative actions are recorded with actor, action, and time.
Data is encrypted at rest and in transit through our managed cloud backend.
Personal information is never publicly readable. Public statistics are aggregated and anonymized.
Records follow program-defined retention. Participants can request deletion of eligible personal data.
Security events are logged and reviewed. Verified incidents trigger notification to affected parties.
REBUILT OS operates the platform, its managed cloud backend, and platform-level controls listed above. Partner organizations are responsible for administering their own users, managing their consent workflows, and handling data they export or share outside the platform.