Legal Stack v1.0

Four covenants that define what TinyGuard will not do

Effective: May 24, 2026 (updated May 25, 2026 — see operational note). The video broadcasting platform behind TinyGuard® is shaped by four contractual covenants that are deliberately hard to unwind. Each is locked into every Master Service Agreement (TG-MSA-001 for childcare, TG-MSA-E-001 for elder care). Each is carved out of the liability cap. Each is backed by operator attestation at intake — and software-enforced per-room broadcast gates ship in June 2026.

Why we wrote it this way

The legal docs without the operational surface are paper-thin. The operational surface without the legal docs is unenforceable. The two are co-load-bearing — the signed operator attestation plus append-only audit trail is what makes this model defensible against state-licensing inspections and plaintiff discovery today. The software-enforced broadcast gate (shipping June 2026) adds the automatic enforcement layer on top.

What that means in practice: every covenant below has both a contractual half (in the MSA + per-state addenda) and an operational half (the operator-signed attestation that confirms compliance at intake and annually, plus the software gate that enforces it automatically once live). Neither half is decorative.

Covenant 01 · MSA §3

No biometrics — ever

TinyGuard does not collect, store, process, derive, generate, or transmit biometric data of any kind. No face geometry, no voice prints, no fingerprints, no iris scans, no gait analysis — covered modalities are the full set under U.S. state and federal biometric statutes, not a narrower marketing definition.

Enforced by: standalone covenant in MSA §3, carved out of the liability cap; reaffirmed per state in IL BIPA, WA RCW 19.375, NYC LL3 of 2021 addenda; architecturally — the video pipeline has no code path that takes a face crop and produces a recognition template; AI providers receive structured text, metadata, and (for opt-in photo features such as care-suggestions and parent-photo descriptions) still images of the moment — never video frames, never face crops, never biometric templates. AI calls are scoped to behavioral and safety descriptions of a scene, not identity extraction. To ever change: separately negotiated written amendment per facility, naming the specific modality + lawful basis + retention schedule + liability allocation. No internal feature flag, no limited beta. See the full no-biometrics covenant page.

Covenant 02 · live-only video

Footage is live-only in the cloud; the only persistent copy lives on the in-room Pi

Live broadcast streams travel through Cloudflare's WebRTC relay (Cloudflare Calls SFU) as encoded video and are not retained in TinyGuard's cloud as ongoing archive. The only persistent video copies are incident footage on the in-room edge device (the Raspberry Pi shipped to your facility) and plan-tiered opt-in cloud-archive recordings when a facility explicitly enables them.

Enforced by: infrastructure — the live path through Cloudflare Calls SFU does not persist frames; the recording path is a separate ffmpeg pipeline on the Pi that writes to local disk, with plan-tiered upload to your R2 bucket when subscribed. Why it matters: minimizes TinyGuard's exposure surface — a TinyGuard breach cannot exfiltrate a year of your classroom video, because TinyGuard doesn't have a year of your classroom video. Plaintiff discovery against TinyGuard is bounded to what's documented in the audit log + the in-room device.

Covenant 03 · enrollment-gated broadcast

Parents agree to the broadcast by enrolling, not stream-by-stream

When a parent enrolls a child at a TinyGuard-equipped center, the parent agrees — at enrollment, in writing, via the Center's intake — that the child appears in the room's video broadcast to other enrolled families of that room. Per-stream opt-in was deliberately rejected as commercially dead: a single holdout family killed every room they were in, so no center would deploy it.

Enforced by: the Center holds the parent consent records and signs the operator attestation (TG-ATT-001 / -E-001) confirming 100% room coverage. This signed attestation is the controlling enforcement mechanism today. The software-enforced per-room broadcast gate — which will automatically suspend broadcast when attestation expires or consent coverage drops — ships in June 2026 (see operational note). Complaints about covenant lapses can be filed to compliance@tinyguard.co. Center vs. TinyGuard split: Center is data controller and owns consent collection + signage + operational compliance. TinyGuard is processor and provides infrastructure + audit trail. See DPA (childcare) or BAA (elder care) for the split's mechanics.

Covenant 04 · audio off by default

Audio is off by default; enabling it requires a separate opt-in covering 100% of staff + families

Wiretap statutes apply to recording audio of conversations, including in 13 all-party-consent states (California, Connecticut, Delaware, Florida, Illinois, Maryland, Massachusetts, Michigan, Montana, Nevada, New Hampshire, Pennsylvania, Washington). Audio-on broadcasts therefore require signed audio-addendum consent from every staff member and every family whose children may appear in the room. Audio is off by default across every TinyGuard installation; turning it on is a separate flow with separate consent collection and a separate Center attestation.

Enforced by: audio addendum (TG-PAR-002 for childcare families, TG-RES-002 for elder residents, TG-EMP-001 for staff). Audio is off by default in code (audio_enabled = 0 at device level) across every installation. Per-room signature-coverage gating before audio activation is part of the June 2026 broadcast-gate rollout; until then, audio is enabled only by explicit operator action with Center-confirmed coverage. Why it's the sharpest legal risk: wiretap statutes carry criminal exposure in some states. The covenant's job is to ensure audio cannot accidentally be enabled in violation of state law.

🛡️ Operational enforcement

How covenant compliance is enforced today — and what ships next

Today — operator-attested model: These covenants are operator-attested at intake and reaffirmed annually. The Center signs TG-ATT-001 (or TG-ATT-E-001 for elder care) confirming 100% room coverage; this signed attestation is the controlling enforcement mechanism. Audio is off by default in code. Every attestation signature, consent event, and state change writes to an append-only audit log. Complaints about a covenant lapse should be filed to compliance@tinyguard.co and receive a response within 24 hours.

Shipping June 2026 — software-enforced auto-suspend: Per-room broadcast gates that automatically suspend the broadcast on four conditions: consent coverage below 100%, signage check overdue, Center attestation expired, or device-placement re-check lapsed. The four gate states (consent / signage / attestation / placement) are evaluated by a heartbeat re-evaluator running every 15 minutes; state transitions write to the covenant_gate_audit table. When this ships, the operator-attestation model remains in force — the software gate adds automatic enforcement on top of it. This page updates in lockstep with production deployment.

This pattern is intentional. A regulator or plaintiff who asks "how do you ensure your customer's broadcast is always consent-covered?" gets an answer rooted in a signed attestation today, and in observable software behavior + an append-only audit log after June 2026 — not policy language alone.

How the covenants split between childcare and elder care

The covenants are the same; the legal framework around them differs by vertical because the regulatory regimes differ. Same product behavior under both — different document stack.

Childcare

MSA: TG-MSA-001

Data agreement: Data Processing Agreement (TG-DPA-001)

Privacy regime: COPPA for under-13 children + applicable state child-privacy statutes

Audit + dashboard: per the DPA's controller/processor split + your Privacy Policy

Elder care

MSA: TG-MSA-E-001

Data agreement: Business Associate Agreement (TG-BAA-E-001) — HIPAA path, not a DPA

Privacy regime: HIPAA (45 CFR 160 + 164) + state-specific resident-dignity statutes; recognizes resident capacity, authorized representative, and roommate consent paths

Audit + dashboard: per the BAA's subcontractor and audit obligations

The two stacks remain separate at the data layer: an elder facility runs against the BAA + elder addendum set; a childcare facility runs against the DPA + childcare addendum set. We don't reuse childcare consent patterns for elder facilities — the operating assumption is that elder PHI is in scope.

State addenda

Each state with biometric, wiretap, child-privacy, or elder-dignity statutes that go beyond the federal baseline gets its own addendum, drafted to that state's specifics and signed alongside the MSA. As of 2026-05-24:

Childcare addenda drafted: TX, CA, IL, MN, NY, FL, CT, MD, MA, PA, WA, OR (12 states; TG-STA-001..012).
Elder addenda drafted: TX, IL, WA, MN, OK, UT (6 states; TG-STA-E-001..006).
In drafting queue: NH, NV, MT, DE, MI, OK for childcare.

If your facility is in a state without a drafted addendum, email legal@tinyguard.co — we draft on signing.

Cross-references

No-Biometrics Covenant — Covenant 01 in full.
BAA — elder care HIPAA agreement (TG-BAA-E-001).
DPA — childcare data processing agreement (TG-DPA-001). Page coming soon; email legal@tinyguard.co for the current template.
Privacy Policy — public TG-PUB-001 / -E-001.
Subprocessor list — every third party that touches customer data.
Acceptable Use Policy — what facilities agree not to do with the platform.

Contact

Covenant or legal-stack questions: legal@tinyguard.co
Procurement / counsel review: del@tinyguard.co
Phone: (510) 686-3357
TinyGuard LLC, 7428 SW Ashford St, Tigard, OR 97224