Identity
Auth.js v5 with forced password change
JWT sessions, password reset flows, and a one-shot magic-link sign-in for admission invites. First-login passwords must be rotated before the user can do anything sensitive.
Trust foundations
Your data, your deployment, in your region of choice.
DaycareMate is built for the moment a daycare director asks "where does our data live?" — and is ready with an answer. Single-tenant per daycare. Role-gated. Audit-logged. Designed to make your insurance auditor smile.
The three principles
If we wouldn't run our own children's data this way, we wouldn't ship it.
Data lives where you choose
Every deployment runs in the cloud region you select at install time. We do not move data between regions, and we do not aggregate customer data anywhere outside your deployment.
Single-tenant by default
One daycare, one deployment. Your database, your object storage, your CDN, your email identity — operated for your account only. There is no shared schema and no shared bucket.
Role-based access, every request
Super-admin, admin, teacher, and parent paths are gated by middleware and re-checked inside every API handler. Parents are scoped to their own children — never trusted by URL alone.
What's inside
A platform-level checklist, not a marketing one.
Each item below is implemented in product code today, not a roadmap aspiration.
Authorisation
Four roles, enforced at the middleware
SUPER_ADMIN, ADMIN, TEACHER, PARENT. Path prefixes map to roles in middleware, and every API route re-validates via requireRole() so a stale session can never elevate privileges.
Storage
Private object storage with presigned URLs
Photos and documents live in a private bucket. Uploads are PUT directly with short-lived presigned URLs; downloads pass through a CDN with presigned access on each request.
Database
Single-table isolation
DynamoDB single-table design keeps your records sharply isolated and predictably indexed. Multi-tenant support is on the roadmap as a controlled prefix migration — never an accidental data spill.
Transactional email with DKIM, MAIL FROM, and DMARC
Magic-link invites, new-message notifications, and dunning reminders are sent from your own domain identity. We support DKIM, custom MAIL FROM, and DMARC configuration out of the box.
Audit
Append-only invoice event log
Every issue, payment, credit note, and void writes a timestamped event row to the invoice. Staff-submitted admission forms record a filledByAdminId so 'who entered this' is always answerable.
Observability
Pino structured logging, optional Sentry
Structured logs by default. Drop in a Sentry DSN to wire the root error boundary, the API handler, and the Next.js instrumentation entry to your error tracking — no code changes required.
Compliance posture
Records you can hand to your auditor
Immutable invoices after issue. Audit-logged events. Per-line taxable flags. Frozen tax rate snapshots. Dedicated deployment per daycare. Documented launch checklist for go-live.
Pick the region. Pick the topology. Own the keys.
DaycareMate runs on the same Terraform configuration regardless of cloud region, so you can keep parent data close to where it's used. We work with operators in many markets and adapt the deployment to local data-residency expectations.
For organisations that need it, we can deploy DaycareMate into your own cloud account so the only people with access to your raw data are you.
Operational practice
Predictable releases. Documented runbooks.
A daycare can't reschedule pickup, so neither can we.
Pre-launch checklist runs through every customer deployment — DNS, email identity, admin seed, classroom setup.
Migrations are documented and gated behind explicit operator scripts (for example: legacy → first-class payment migration is a single command).
All mutations validate input with shared schemas — the same Zod schemas the server uses are referenced by the client.
Destructive operations confirm before they run; rejections capture a reason for the audit trail.
Ready when you are
Want the technical deep-dive?
We'll walk your engineering or compliance team through the deployment, the data model, and the safeguards in a 30-minute call.