Famly Security Best Practices

Keeping your Famly account secure is crucial for protecting sensitive information about children, parents, and staff. This help centre article outlines recommended security measures for staff and administrators to safeguard their Famly accounts and outlines some of the initiatives we take as well. By following these best practices, you can significantly reduce the risk of unauthorised access.

Famly treats data security and privacy with the utmost seriousness. All personal data - including child, parent, and staff records, is encrypted both in transit and at rest (using AES-256) to guard against unauthorised access. Our platform is hosted in a secure data center with additional backups elsewhere; all backup and primary systems follow rigorous security standards and independent audits. We operate under a comprehensive Data Processing Agreement (DPA), comply with GDPR, UK GDPR, and related data protection laws, and vet all sub-processors to ensure they adhere to equivalent security and privacy obligations. You can read more about Famly’s security practices here.

Here’s what you can do on your end and what we’ll cover in this article:

A strong password is your first line of defence. We recommend:

Famly will automatically check whether new passwords have been part of a previously reported password breach from other websites or services to avoid re-use of compromised passwords.

Avoid storing passwords in unsafe or unprotected places (such as writing them on post-it notes or saving them in unsecured documents). Consider using a reputable password manager to securely store and manage your passwords as this allows you to have different long, random passwords for each account without needing to remember them all manually.

By default passwords in Famly need to be at least 8 characters long and include both letters and number or special characters. If you wish to enforce even stronger password requirements, please reach out to the Famly support team who can help get that setup.

Your Famly login credentials (email and password) are private - do not share them with anyone else. This includes colleagues, other staff members, friends, or family. Each user in Famly should have their own account; never allow someone to log in with your credentials. Sharing accounts not only violates security best practices, but also makes it impossible to track who took what actions in the system. Additionally, be careful not to expose your password inadvertently. Do not write down passwords and leave them in unsecured places (for example, a sticky note on your desk or a notebook that others can access). If you must record a password, keep it in a very secure location (or use an encrypted password manager) - treat it like sensitive confidential information that others must not find. Similarly, avoid saving passwords in a web browser on a shared or public computer without additional protections, as someone else could potentially retrieve or use it.

Famly will automatically send you an email notification when we detect a login from a new device. Only log in to Famly from trusted devices and secure networks. Avoid signing into your account on public or shared computers (such as library or cafe computers) whenever possible, since you can’t be certain those machines are free of malware or keyloggers.

In the same vein, be cautious when using public Wi-Fi networks - open networks (e.g. in coffee shops or airports) are often not secure, meaning others could potentially intercept your data traffic on them. If you must access Famly from a shared device or public network, take extra precautions: use a private/incognito browsing window and never allow the browser to save your login on an untrusted machine. Always log out of your Famly account completely when you finish using a shared computer (simply closing the browser is not enough - make sure you actively sign out). For public Wi-Fi, consider using a VPN (Virtual Private Network) to encrypt your connection, or use your mobile device’s personal hotspot, to add a layer of security if you need to log in from an untrusted network.

Maintaining the security of the devices you use to access Famly is an important part of general security best practice. Make sure your computers, tablets, or phones have up-to-date operating systems and that you install updates for the Famly app regularly. It’s wise to enable automatic updates on your devices, as well as for critical apps and any antivirus or security software you use. Running reputable antivirus/anti-malware tools (and keeping them updated) can further help by detecting and blocking threats that could steal passwords or compromise your device.

Always be on guard for phishing attempts - these are fraudulent messages that try to trick you into revealing your login details or clicking malicious links. Attackers may send emails (or texts) that impersonate Famly support or a familiar institution, urging you to “verify” your account or log in via a provided link. Remember that Famly will never ask you to confirm your password or send login links via unsolicited email. If you receive an unexpected email about your account, do not click any links or download attachments unless you are certain it’s legitimate. Do not enter your Famly credentials on any site that you reached by clicking a link in an email or message, especially if the message was unsolicited. Phishing websites can be made to look very convincing.

As a rule of thumb, go directly to Famly’s official website (e.g. via your bookmark or by typing the address) when you need to log in, rather than via email links. Be skeptical of any message that creates a sense of urgency or panic about your account, or offers something that’s “too good to be true.” If a message is unexpected and suspicious, trust your instincts - it’s safest to ignore or verify it through official channels rather than clicking through. When in doubt, you can contact Famly support directly to check if an email is legitimate.

Famly’s Auto-logout feature is a handy tool that will automatically log you out of the app after a period of inactivity. By default, Famly will sign you out after 5 minutes of no activity to prevent someone else from using your session if you leave your device unattended. We recommend keeping the auto-logout timer at a short interval (around 5 minutes, and ideally no more than 15 minutes) to keep your data safer. This way, even in the middle of a busy day, if you get pulled away from the screen, Famly will lock itself and require re-login with your pin code, much like a banking app.

In addition to auto-logout in Famly, make sure to lock your device screen when not in use. Set up an automatic screen lock on your computer or tablet after a few minutes of inactivity, requiring a password, PIN, or fingerprint to unlock. This ensures that if you forget to log out or close Famly, your device’s lock will still protect against unauthorised access. Combining an auto-logout on the app with a short screen timeout on your devices provides two layers of protection to keep your account and data secure.

You can read more about Famly’s auto logout here.

Famly’s granular permissions allow you to customise what features and data each staff role in your setting has access to on Famly. These allow you to restrict access to different parts of the app. Make sure your permissions are set up correctly, so that staff does not have access to unnecessary information.

You can also setup so that certain staff roles can’t access Famly data when they are not at work.

You can read more about staff permissions and how to configure them here.

For an extra layer of security, use two-factor authentication on your Famly account. Two-factor authentication (also known as 2FA) means there are two steps to log in: first your normal password, and then a one-time code or approval from a second device (such as an authenticator app on your phone). This second step ensures that even if someone knows your password, they cannot access your account without the unique 2FA code. Having 2FA enabled on your Famly account will provide an extra safeguard.

You can read more about 2FA and how to get it enabled here.

If you use company email addresses for your staff, you can have single sign-on (SSO) enabled for staff on your Famly account which can also add an extra layer of security. You’ll have to contact your Famly account manager for a discussion around single sign-on.

If you believe your Famly account has been accessed without your permission, please do the following in order of priority:

By following these account security best practices - from using strong, unique passwords and device safeguards to staying alert against phishing - you can help ensure that your Famly account (and the sensitive data within it) remains well-protected. Security is a shared responsibility, and a few proactive steps on your part will go a long way in keeping your Famly platform safe.

If you have any questions or concerns about account security, please reach out to support@famly.co and we’ll be happy to help.