All card numbers are encrypted on disk with AES-256. Decryption keys are stored on separate machines. None of KidGPS's internal servers and daemons are able to obtain plaintext card numbers; instead, they can just request that cards be sent to a service provider on a static whitelist. KidGPS's infrastructure for storing, decrypting, and transmitting card numbers runs in separate hosting infrastructure, and doesn't share any credentials with KidGPS's primary services.
We rapidly investigate all reported security issues. If you believe you've discovered a an issue with KidGPS's security, please get in touch at firstname.lastname@example.org. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by KidGPS.