You ship the platform. Phosra ships the layer above it.
In 2027, California AB 1043 makes Apple and Google hand every app a real age signal. Phosra reads it, applies the right law, and signs a regulator-replayable receipt — one integration, not a child-safety team.
The biggest platforms haven't taken the seat yet.
Apple, Google, Meta, Netflix, Roblox — the surfaces a kid actually reaches through — carry the heaviest obligations and the loudest demand. The #1 ask from regulators and app stores is a way to consumean age attestation and act on it. That lane is open. Phosra built it as a conformant router so the first platform in isn't locked to one vendor's private API.
Consume the age attestation — and act on it
The app-store age-attestation consume lane is the single most-asked capability platforms want: take an OS-level or app-store age signal, resolve the right policy, and enforce it — without storing a raw birthdate. Phosra ingests the signal, maps it to the OCSS rule registry, returns a signed decision, and writes a receipt a regulator can replay. One integration, every surface you control.
You become the issuer
AB 1043 turns the operating system into a statutory age-signal issuer in 2027. Phosra gives you a conformant way to emit that signal as a signed assertion downstream — and to prove, per request, what you emitted and why. The issuance side and the consume side speak the same envelope, so the chain stays verifiable end to end.
Right policy, whichever surface carries it
Age-gating, parental consent, screen-time, and commercial-data restrictions resolve once and route to whichever surface can enforce them — DNS, MDM, app controls, streaming, social, gaming. Instead of every platform reinventing age logic, the decision is computed against real law and carried in a signed envelope the intermediary can't decrypt.
One decision, end to end — none of it core to your product.
You build the platform. The compliance layer that watches the law, drives enforcement, produces the audit trail, and moves the signal is the part you'd rather not own — so Phosra runs it above your surface, continuously. Here is the path a single decision takes once it does.
91 statutes, tracked weekly
Automated weekly scanning of state, federal, and global child-safety legislation, every statute mapped to the 115 enforceable rule categories (67 anchored / 48 provisional). New laws arrive as policy diffs, not panic.
One call, every surface
A single REST/MCP call drives age-gating, parental consent, screen-time, and commercial-data restrictions across DNS, MDM, streaming, social, and gaming targets. We say which are live and which are planned — never the reverse.
Every decision queryable
Each decision is written to a durable event stream with its rule, input, output, and statute citation, sealed under a signature you can verify. A replayable receipt in 30 seconds — not a 60-day discovery sprint.
OS age signals, in and out
Consume Apple and Google OS-level age signals, and — for issuers — emit your own signed assertion downstream. No raw birthdate stored; the envelope is sealed end to end.
The 50-state patchwork is a roadmap problem, not a one-time project.
Building this in-house means two engineers, six months, and a compliance lawyer on retainer to read every new state bill — and the patchwork keeps growing every quarter.
The roadmap tax
Two engineers, six months, then a compliance lawyer on retainer to read every new state bill. The 50-state patchwork doubles your compliance roadmap every quarter, and each new statute is a migration project — not a config change. Your product engineers are reading legislation instead of shipping features.
One integration, then registry updates
One integration against the conformant router. New laws ship as registry updates — not migration projects — so your engineers stay on product and your legal team gets a queryable audit log instead of a discovery sprint. The standard is open, so you can verify the rule taxonomy at the source rather than take a vendor's word for it.
The frameworks your legal team is already tracking.
The named laws below are a sample of the 91 mapped in the registry — each resolves to enforceable rule categories, not a documentation wish. The full index links out to the compliance hub.
We implement OCSS. We don't own it.
OCSS — the Open Child Safety Specification — is an open standard, currently an individual IETF Internet-Draft (Draft 4, pre-release), not yet ratified by any standards body. Phosra is its reference implementer and one accredited network running on it — like Yubico for FIDO2: we build the thing, we don't control the standard.
That separation is the asset for a platform. A standard you can't capture is one you can adopt without being locked to a single vendor's private API. The canonical spec, the rule registry, and the conformance suite live at openchildsafety.com — not here. We are building toward OCSS Certified: a status earned from the standard and its conformance suite, never a badge we issue ourselves.
OCSS is the open standard. Phosra is its reference implementer and one network on it — it owns neither the standard nor a seal it can hand you.
Like Yubico for FIDO2.
Conformance is evidence, not approval.
This is the one line your procurement and policy teams care about most, so we state it exactly as the spec does. OCSS conformance does not confer regulatory approval and is not a COPPA safe harbor — it is evidence a regulator can weigh, alongside everything else, when they evaluate you.
The boundary, verbatim
We quote §5.1 of the OCSS Trust Framework with no softening and no implied stamp — the same text a regulator would read at the source.
“A conformance result is evidence that an implementation satisfies the tested requirements at the time of testing. It is not an approval, a certification by the steward, or a determination of legal compliance, and it confers no safe harbor under any statute.”
Read the full §5.1 at openchildsafety.com.
The receipt, not the assertion
Every enforcement decision leaves a signed, replayable receipt — what was decided, under which rule, and against which statute — so a regulator can verify it without us exporting a single user's data.
Illustrative shape — field names follow the OCSS rule registry. The router reads only the headers it needs to move the signal; the payload is encrypted to the recipient.
Built for the security review your procurement team will send.
SOC 2 Type II is in progress, with an expected audit window of 2026 — stated as a status, not a claim. Here is the posture you can review today.
AES-256-GCM
Policy state and child PII are encrypted at rest with AES-256-GCM on top of standard disk encryption, with tenant scoping enforced at the application layer on every query.
TLS 1.3, mTLS available
HTTPS enforced end-to-end with TLS 1.3 and HSTS at the edge. Mutual TLS is available for platform integrations that require it.
Verifiable consent flows
Verifiable parental-consent flows produce evidence a regulator can weigh — not a COPPA safe harbor, and never represented as one.
SOC 2 Type II
SOC 2 Type II is in progress with an expected 2026 audit window. We share the current status letter on request — the status, not a finished claim.
See the audit trail in 30 minutes.
We'll walk one of your existing compliance gaps live — the consume lane, the AB 1043 issuer path, or a single statute mapping — and hand you the spec to evaluate before you book a follow-up.
Verify the standard itself at openchildsafety.com — spec, rule registry, and conformance suite.