Non-profit · Open standard · No shareholders · No conflicts of interest
The open standard for child digital safety

The PCI DSS
for protecting children

6 domains. 90 controls. One API. The compliance framework that makes every platform accountable for child safety.

Explore the standard For platforms For policy makers
There is no shared standard for child digital safety.
No common framework for detection, reporting, or compliance.
36.2 million CSAM reports last year — and the industry needs a consistent way to measure and improve.
1 in 3
children aged 8-11 on social media despite age limits
Ofcom 2024
45 min
average time from first contact to exploitation request
IWF 2023
72%
of children's apps leak data to third-party trackers
ICSI / USENIX 2023
0
shared standards exist for child safety compliance across platforms

Regulators are writing laws. The industry needs a shared standard to comply. Custorian provides that framework — open, auditable, and designed for adoption.

0
Domains
0+
Controls
0
API Endpoints
0
Regulatory Frameworks Mapped

Join parents committed to protecting children in the digital world.

Take the Pledge
Custorian Controls Framework

6 domains. Every threat vector covered.

Each domain is backed by published research and real-world incident data. These aren't theoretical — they're the gaps children fall through today.

CS-AC

Age Controls

Multi-signal age verification without invasive checks. Parent attestation, device family accounts (Apple/Google), school deployment brackets, and EU Digital Identity Wallet integration when available. No face scans. No ID uploads. Privacy-preserving by design.

89%
of children lie about age online
5
Required controls

Ofcom 2024: 1 in 3 children aged 8-11 have a social media profile despite minimum age of 13. Source

CS-CD

Content & Design Safety

Harmful content detection, dark pattern prohibition, and elevated moderation standards where minors are present.

45%
of teens see harmful content weekly
13
Required controls

EU Kids Online 2024: 45% of 12-16 year olds encountered harmful content in the past month. Source

CS-DM

Data & Privacy for Minors

Data minimization, on-device processing by default, DPIA requirements, and absolute prohibition on minor data for advertising.

72%
of children's apps share data with 3rd parties
11
Required controls

ICSI 2023: 72% of apps in the Play Store children's category transmitted data to third-party trackers. Source

CS-PR

Parental Rights & Child Agency

Parent dashboards and safety boundaries — with built-in protections for teen autonomy. Empowerment, not surveillance. Children aged 13+ are notified when monitoring is active.

67%
of parents feel they lack tools
12
Required controls

Pew Research 2024: Technology is the #1 reason parents say parenting is harder today. Source

CS-MR

Monitoring, Detection & Response

Real-time threat detection, incident response SLAs, accuracy transparency, and mandatory reporting for CSAM and imminent danger.

36.2M
CSAM reports to NCMEC in 2023
16
Required controls

NCMEC 2023: 36.2M CyberTipline reports. The standard defines detection requirements with accuracy thresholds by category and language. Source

CS-GO

Governance & Policy

Child Safety Officers at executive level, mandatory training, third-party vendor management, and regulatory compliance mapping.

0
shared child safety audit standards exist
9
Required controls

The industry lacks a shared audit framework for child safety. PCI DSS created this for payments. Custorian creates it for children.

Custorian API Specification

One API. Every safety tool interoperates.

OpenAPI 3.1 specification. Platforms implement it. Auditors and researchers consume it. Everyone speaks the same language.

POST /custorian/v1/detect
Content analysis endpoint that platforms implement. Returns threat categories, confidence scores, behavioral signals, and recommended actions per the standard.
CS-MR.1.1 – CS-MR.1.5CS-CD.1.1 – CS-CD.1.8
{
  "threat_assessment": {
    "overall_risk": "high",
    "categories": [{
      "category": "grooming",
      "confidence": 0.92,
      "triggered_patterns": ["secrecy_request", "age_probing"],
      "explanation": "Adult contact requesting child keep conversation secret"
    }],
    "recommended_action": "restrict_and_notify",
    "mandatory_report": false
  },
  "processing": { "on_device": true, "latency_ms": 45 }
}
GET /custorian/v1/alerts
Standard endpoint for safety alert delivery. Platforms must surface alerts within 5 minutes of detection per CS-PR requirements.
CS-PR.1.1 – CS-PR.1.2
{
  "alerts": [{
    "category": "grooming",
    "severity": "high",
    "confidence": 0.89,
    "summary": "Unknown adult contact exhibiting grooming patterns",
    "status": "new"
  }],
  "unreviewed_count": 3
}
GET PUT /custorian/v1/controls
Parental safety controls specification. Screen time, contact management, content filtering. Age-graduated defaults required by the standard.
CS-PR.2.1 – CS-PR.2.5
{
  "controls": {
    "screen_time": { "daily_limit_minutes": 120 },
    "contacts": { "unknown_contact_policy": "block" },
    "monitoring": { "level": "moderate", "child_notification": true }
  }
}
POST /custorian/v1/age/verify
Age verification specification. Supports document, biometric estimate, third-party attestation, parental confirmation. Evidence never retained.
CS-AC.1.1 – CS-AC.1.5
{
  "result": "verified",
  "age_bracket": "13-15",
  "confidence": 0.95,
  "evidence_retained": false
}
GET /custorian/v1/accuracy
Accuracy transparency endpoint. Platforms must publish detection accuracy quarterly by category and language. Precision ≥85%, recall ≥75% required.
CS-MR.3.1 – CS-MR.3.5
{
  "period": "2026-Q2",
  "grooming": { "precision": 0.88, "recall": 0.79 }
}
POST /custorian/v1/report
Mandatory reporting endpoint. The standard requires CSAM and imminent danger reports to law enforcement within 1 hour.
CS-MR.2.1
{
  "report_type": "csam",
  "severity": "critical",
  "jurisdiction": "DK",
  "reporting_destination": "ncmec"
}
GET /custorian/v1/audit
Compliance verification endpoint for Qualified Safety Assessors. Full audit trail required for certification.
CS-MR.2.4QSA access only
{
  "entries": [{
    "category": "grooming",
    "action_taken": "parent_notified_contact_restricted",
    "response_time_minutes": 2.3
  }],
  "total_entries": 4521
}

For developers: Full OpenAPI 3.1 specification available. Browse the interactive API docs — all endpoints, schemas, and parameters. SDKs and integration guides are in progress.

For Platforms

Implement the standard. Achieve certification.

Platforms implementing Custorian gain a documented compliance pathway for DSA Article 28, DSA Article 35 risk assessments, and the EU AI Act. Comply once, satisfy many.

01

Self-Assess

Download the Self-Assessment Questionnaire for your platform level. Map your existing controls to Custorian requirements. Identify gaps.

02

Implement

Implement the Custorian API specification using your own infrastructure. A reference implementation is available for validation and testing.

03

Certify

Submit your self-attestation for Custorian Certified status. Level 1 and 2 platforms require Qualified Safety Assessor validation.

The Custorian Flywheel

Platforms implement the standard
Detection quality becomes measurable
Regulators reference the framework
Adoption costs drop
More children are protected

Custorian is a standard, not a product. Existing child safety tools are valuable — Custorian gives them a shared compliance framework to certify against. Standards don't replace products. They elevate entire industries. Like PCI DSS elevated payments. Like EPEAT elevated sustainable electronics. Custorian elevates child safety.

Compliance Model

Tiered by scale. Validated by evidence.

Like PCI DSS merchant levels, but based on minor user count. Larger platforms face stricter validation.

1
>1M minors
Annual QSA audit. Quarterly accuracy reports. 24/7 incident response.
Major social, video, gaming platforms
2
100K – 1M
Annual QSA audit or Self-Assessment. Independent accuracy audit.
Mid-tier social, streaming, messaging, educational platforms
3
10K – 100K
Annual Self-Assessment. Self-reported accuracy metrics.
Niche social, indie games, regional EdTech
4
<10K
Simplified Self-Assessment. Designed to not burden small builders.
Startups, small apps, school tools
Regulatory Cross-Map

One standard. Every regulation covered.

Every Custorian control maps to existing law. Comply once, satisfy many.

🇪🇺

EU Digital Services Act

Articles 28 & 35 — protection of minors + systemic risk assessments. CCF is the methodology.

In force
🇪🇺

EU AI Act

High-risk AI systems affecting minors. CCF provides the compliance pathway.

In force
🇬🇧

Age Appropriate Design Code

All 15 AADC standards cross-mapped to Custorian controls.

In force
🇩🇰

Denmark Under-15 Law

Social media restrictions for under-15s. Custorian Certified = compliance shortcut.

2027
🇺🇸

COPPA 2.0 / KOSA

Kids Online Safety Act. CCF covers all proposed requirements.

In progress
🇪🇺

Jutland Declaration

25 EU states committed to child digital safety. Signed in Odense, 2025 — where Custorian is being developed.

Signed 2025
🇪🇺

Child Sexual Abuse Regulation

CAS includes standardised CSAM detection and reporting API.

In progress
🌍

AU Malabo Convention

African Union cyber security & data protection. Custorian maps EU + African regulatory coverage.

Mapping in progress
🇰🇷

South Korea Youth Protection Act

The world's most aggressive online child safety laws. Real-name verification, game curfews.

Mapping in progress
🇪🇺

EU Digital Identity Wallet (eIDAS 2.0)

Age verification without revealing identity. Custorian is designed for day-one integration when the EU wallet launches — proving a child is under 13, under 16, or over 18 without exposing who they are.

Pilots 2026–2027
Download Policy Brief (PDF) Download SAQ Template (PDF)
Partnerships & Advisory

Built with the organisations that matter.

Custorian integrates with industry-standard child safety infrastructure and is guided by independent experts.

Technology Partners

Thorn Safer

CSAM hash matching API for image detection

Application in progress

Microsoft PhotoDNA

Perceptual image hashing for CSAM detection

Application in progress

Advisory Council Forming

ECPAT

Global network against child exploitation

In dialogue

IWF

Internet Watch Foundation, UK

In dialogue

Datatilsynet

Danish Data Protection Authority

In dialogue

Digitaliseringsstyrelsen

Danish Digital Agency / National DSA Coordinator

Planned outreach
Who it's for

For platforms, institutions, and families.

Platforms

Certify against the Custorian Controls Framework. Demonstrate DSA and AI Act compliance. Listed on the certified registry.

Contact us

Audit Organisations

Become a licensed Custorian Qualified Safety Assessor (QSA). Conduct compliance audits for platforms.

Contact us

Schools & Municipalities

Anonymised aggregate dashboards, threat trend analysis, compliance reports, and intervention playbooks.

Contact us for pilot programmes

Families

Free reference app. On-device detection, parent alerts, child interventions, content ratings. No subscription. No data collected.

Free — always
Developing in the open

The standard is being drafted. The framework is taking shape.

Custorian Controls Framework v0.1 is in open review. The standard is being developed through open consultation with child safety organisations, regulators, platform engineers, and academic researchers. We're looking for pilot schools, platform partners, policy advisors, and QSA candidates.

Contact

Get in touch

For partnerships, pilot programmes, certification inquiries, research collaboration, or press — reach us directly.

info@custorian.org
Advisory Council

The Advisory Council is a curated group of experts in child safety, cybersecurity, policy, and technology. Membership is by invitation or expression of interest.

Parent Pledge

I pledge to protect my child in the digital world

Join thousands of parents who believe children deserve real protection online — not surveillance, not neglect, but intelligent, privacy-respecting safety built into the devices they use every day.

0

PARENTS HAVE PLEDGED

Your data is used only to send you the app and updates. Never shared. Never sold. Unsubscribe any time. Custorian is a non-profit.