Whitepaper

How Shomerli protects your data — without halakhic compromise.

Security architecture, PIPEDA / Law 25 compliance, and transparency commitments for families, schools and rabbis evaluating Shomerli.

Updated April 30, 2026Technical whitepaper~17 min read

Section A

For families

Plain-language overview: where your data lives, what we don't sell, how deletion works.

~ 2 minRead section A →

Section B

For IT teams

Multi-layer architecture, encryption, hosting topology, API controls and anti-bypass.

~ 10 minRead section B →

Section C

For schools & Vaadim

PIPEDA / Law 25 compliance, named Privacy Officer, incident response, contractual commitments.

~ 5 minRead section C →

Shomerli is based in Montreal. Our founder is reachable directly: steve@shomerli.com · WhatsApp +1 (514) 638-9213.

Section A · For families~ 2 min

Your data, in plain terms.

No technical jargon. For parents who want the essentials before signing up their household.

Filtering happens in Canada.

When your family visits a website, the filtering request goes through our server in Beauharnois (Quebec). Not the United States. Not Israel. Quebec, under Canadian law — federal PIPEDA and provincial Law 25.

Honest note: our admin dashboard is currently hosted in the USA (AES-256 encrypted). Migration to Canada planned for Q3 2026. Details in Section B.2.

Your queries are not sold.

Shomerli does not sell your browsing data to advertisers. None. Our business model is paid subscription, not advertising — this is deliberate and structural. No third-party tracking pixels, no Meta SDK, no Google Analytics on the dashboard.

Deletion on request.

You can request deletion of all your data at any time. Legal deadline: 30 days (Law 25 art. 28). In practice: under 72 hours for Shomerli. Email steve@shomerli.com, written confirmation at every step.

data shared with advertisers or commercial third parties.

Law 25 contractual commitment — not a PR claim

Want more technical detail — architecture, encryption, hosting topology?

Continue to Section B (10 min) ↓

Section B · For IT teams~ 10 min

Technical whitepaper.

Architecture, encryption, honest hosting topology, API controls, bypass detection. All claims independently verifiable.

B.1 — Multi-layer architecture

Shomerli is not a standalone DNS filter. It's a multi-layer architecture designed for the observant community, where each layer adds a distinct protection. No single layer is sufficient — it's their composition that makes bypass expensive and detection fast.

User device

CoreDNS — DNS-level blocking

First line. DNS resolution intercepted before any TCP connection.

DNS over HTTPS (RFC 8484)
DNS over TLS (RFC 7858)
Community blocklists

MITM Proxy — Beauharnois (QC)

Keyword interception + AI classification on HTTPS content, inside Canadian jurisdiction.

Encrypted TLS termination
AI classification (Anthropic)
PII redaction before inference

Samsung Knox / Device Owner

Wildcard filtering on Android via Device Owner mode — non-removable without factory reset (kernel-level mode planned post-Knox-activation).

Samsung Knox device management (license activation pending)
Anti-uninstall protection
Knox attestation

Anti-bypass detection

Detects VPNs, alternative DoH, HTTP(S) proxies, SSL pinning bypass attempts.

Real-time admin alerts
Privacy-first logs
Knox network policy

Internet

B.2 — Where your data lives.

Shomerli was designed and operates from Montreal. Our commitment is Canadian residency for all sensitive data. Here is the current state — and our public roadmap. No "100% Canadian infrastructure" claim that an IT auditor would dismantle in three minutes.

Component	Current location	Target Q3 2026	Migration rationale
Filtering VPS DNS + MITM proxy	Beauharnois, Quebec	Beauharnois + secondary US	US user latency, redundancy
Dashboard Vercel	iad1, Virginia	Toronto / Montreal	Law 25 data residency
PostgreSQL Supabase	us-east-1	Toronto region	Supabase launched a CA region in 2025
Redis cache Upstash	us-east-1	CA + EU	Short TTL — less critical
AI classification Anthropic API	USA	USA + PII redaction	Anthropic offers no CA region

B.3 — Encryption, end to end.

Layer	Protocol	Level	Status
Transport (browser → server)	TLS 1.3	A+ SSL Labs grade	Active
API authentication	JWT RS256 · refresh 7d	15-min lifetime	Active
Data at rest (Supabase)	AES-256	Server-side encryption	Active
Mobile storage (Android)	Encrypted MMKV	AES-256	Active
DNS over HTTPS	DoH (RFC 8484)	TLS 1.3	Active
DNS over TLS	DoT (RFC 7858)	TLS 1.3	Active
Webhook signatures (Stripe)	HMAC-SHA256	Server-side verified	Active

# Test our SSL grade publicly:
$ curl -I https://shomerli.com
HTTP/2 200
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-content-type-options: nosniff
x-frame-options: DENY

You can independently verify our TLS configuration via SSL Labs or Mozilla Observatory.

B.4 — API layers & access control

RBAC. 5 strict roles (SUPER_ADMIN, ORG_ADMIN, PARENT, MEMBER, CHILD). Hierarchy enforced server-side in tRPC middleware, checked on every call.
Rate limiting. Redis-based, per IP + per user + per endpoint. Progressive backoff. CAPTCHA after 3 consecutive failures.
Input validation. Zod schemas client- and server-side. HTML sanitization. Prisma parameterized queries (SQL-injection-safe).
CORS. Strict origins — dashboard domain + mobile app scheme only.
CSP. Strict Content Security Policy (script-src 'self', style-src 'self' + Tailwind, img-src 'self' + CDN).
Dependency scanning. Snyk + npm audit in CI/CD. Zero-CRITICAL-vuln policy: no CRITICAL vulnerability in production without a hotfix within 48 hours.
Audit trail. Immutable append-only PostgreSQL table. Action / user / timestamp / IP / metadata for every security-relevant event. 90-day hot retention, 7-year cold archive.

B.5 — Bypass detection.

Part of Shomerli's value is its resistance to bypass — VPN, proxy, alternative DoH. We can't catch everything; here is what we do technically:

VPN connection detection (Knox API, kernel-level mode planned post-activation)
DoH / DoT detection toward non-Shomerli servers
HTTP(S) proxy configuration detection
SSL pinning bypass attempt detection
Real-time notifications to the household or school admin
Attempt logs that don't reveal user identity (privacy-first default)
No filtering system is 100% bypass-proof. A determined user with root access on a device can circumvent. Our approach: raise the effort cost + detect quickly.

B.6 — Immutable audit trail.

All security events (login, password change, RBAC change, data export, deletion) are logged into an append-only PostgreSQL table. No UPDATE or DELETE permitted. Enforced via DB constraints + automated tests.

-- Audit log structure (simplified):
CREATE TABLE audit_log (
  id UUID PRIMARY KEY,
  user_id UUID NOT NULL,
  action VARCHAR(100) NOT NULL,
  resource_type VARCHAR(50),
  resource_id UUID,
  ip_address INET,
  user_agent TEXT,
  metadata JSONB,
  created_at TIMESTAMPTZ DEFAULT NOW()
);
-- No UPDATE or DELETE permissions granted

Representing a school, Vaad or institution? See the compliance commitments below.

Continue to Section C (5 min) ↓

Section C · For schools & Vaadim~ 5 min

B2B and halakhic compliance.

Regulatory frameworks, named Privacy Officer, incident response plan, and contractual commitments — all auditable on request.

C.1 — Compliance frameworks

Framework	Jurisdiction	Key article	Shomerli status
PIPEDA	Canada (federal)	s. 5(3) — Reasonable consent	Compliant — explicit consent
Law 25	Quebec	Art. 3.2 — Designated Privacy Officer	Our founder (de facto DPO)
Law 25	Quebec	Art. 3.5 — DSAR < 30 days	<72 h in practice
Law 25	Quebec	Art. 8 — Privacy Impact Assessment	Documented (internal, available on request)
COPPA	USA < 13 yo	Verifiable parental consent	PARENT-account control flow
Privacy Act	Israel	Database registration	Q4 2026 if market expansion
GDPR	EU	Data Subject Rights	Not yet active — no EU users

All claims are auditable. On request for rabbis or Vaad lawyers: full internal documentation (DPIA, RoPA, incident response plan).

C.2 — Privacy Officer & contacts

Our founder

Designated Privacy Officer · Law 25 art. 3.2

Direct email: steve@shomerli.com
WhatsApp: +1 (514) 638-9213
Response SLA: < 24 h, business days
DSAR (Data Subject Access Request): < 72 h in practice (legal limit 30 days, Law 25)

Article 3.2 of Quebec's Law 25 requires any organization collecting personal data to designate a person responsible for privacy protection. For Shomerli that is our founder — until the team grows enough to formalize an independent DPO.

C.3 — Incident response

In the event of a breach or security incident, the following process applies — each step with an explicit SLA, logged into the audit trail:

Containment< 1 h
Isolate affected systems. Revoke potentially compromised credentials. Preserve forensic snapshot.
Investigation< 24 h
Forensic analysis, breach scope, identification of affected data and impacted users.
User notification< 72 h
Email to every potentially affected user (PIPEDA + Law 25 art. 3.5). Incident details, data touched, recommended actions.
Authority notification< 72 h
CAI Quebec if required by Law 25 art. 3.5. Office of the Privacy Commissioner of Canada if applicable.
Public post-mortem< 14 d
Published at /security#incidents — transparency commitment. Timeline, root cause, corrective measures.

No security incident has occurred to date (Shomerli is 4 months old). If one did, this process would be followed and this page updated publicly with a post-mortem.

C.5 — Contractual commitments

No sale of data to advertisers or commercial third parties.
No advertising profiling — no audience building, no look-alike modeling.
No use of data to train third-party AI models. Data stays inside Shomerli + Anthropic API with PII redaction.
Full deletion on request, under 72 hours (legal limit 30 days, Law 25).
Full export on request, under 72 hours, portable JSON format.
30-day notice before any change to the privacy policy (Law 25 art. 8.2).

Audit & verification

Want to verify our claims?

Public roadmap

Q2 2026now

Filtering VPS Quebec operational · Encrypted dashboard in USA

Q3 2026

Migrate Supabase + Vercel to Canada region

Q4 2026

Self-hosted DB option for Institution tier (schools)

2027

External SOC 2 Type II audit

A question, a specific requirement, a rabbi or Vaad who wants to audit?

Steve · steve@shomerli.com · WhatsApp +1 (514) 638-9213

Personal reply within 24 hours, business days.