Trailhead — Council Briefing
Why Trailhead is YPT-compliant by construction.
Audience: Spirit of Adventure Council — DRE, Scout Executive, Council YPT review.
Time to read: under 5 minutes.
Trailhead's compliance is not a policy bolted on top. It is the shape of the data and the shape of the screens. A leader who wanted to violate Youth Protection would find no button to press.
What Trailhead is
Trailhead is a private, invite-only web app for one Scout troop. It replaces the patchwork of SignUpGenius, Doodle, MealTrain, BAND, and GroupMe that troops use today. It does three things, and only those three things:
- Trailhead Events — sign-ups, RSVPs, meal coordination.
- Trailhead Polls — yes / no / interested / going signals.
- Trailhead Rank Up — visibility into who's working on which requirement, and who's already done it and could help.
There is no chat, no DM, no group messenger, no photo album, no video call in Trailhead. The app is built around taps, not sentences.
How YPT is enforced
| YPT rule (Scouting America) | How Trailhead enforces it |
|---|---|
| No one-on-one digital contact between adults and youth. | The app has no way to address one user. Every message goes to a named audience (a patrol, all parents, the PLC, etc.). There is no "compose to user" anywhere. |
| Two-deep applies to digital communication. | Any audience that includes a Scout automatically also includes that Scout's parent. The app shows the recipient list before the message is sent. The leader cannot turn this off. |
| No private channels. | The app has a fixed, public list of audiences (all, scouts, parents, leaders, patrol:<id>, etc.). There is no "create a group" feature. Adding a new audience requires a code change. |
| Communication in a public-or-copied forum. | Every message is visible to its full audience. Replies are reactions or audience-scoped responses — never "reply privately." |
| Only trained adults hold leader power. | Every leader action checks the adult's Safeguarding Youth Training expiration. When SYT lapses, the leader's composer screens disable until they retrain. The app surfaces a banner; Council can pull a list of "leaders with expired training" anytime. |
| Photos of minors are a high-risk surface. | Trailhead does not host photos of Scouts in v1. There is no photo-upload field on events, profiles, or posts. Avatars are auto-generated initials. Photos remain on the troop's existing Council-approved channels. |
| Audit trail. | Every Scout-touching action writes an append-only log entry. Nobody can edit or delete entries. On Council request, the troop admin exports a sealed CSV of any date range. |
What is impossible by construction
These are not "policies we follow." These are features that do not exist in the app:
- A leader cannot send a private message to a Scout. (No surface.)
- A leader cannot create a group that excludes parents. (No surface.)
- A Scout cannot have an inbox that their parent doesn't see. (Same notification, two delivery rows.)
- A leader whose YPT/SYT has expired cannot create events, post announcements, or sign off requirements. (Capabilities gated.)
- An admin cannot quietly delete an audit log entry. (Append-only. DB-level constraint.)
- A shared event link cannot leak Scout names, contact info, or allergy data to a non-registered family. (Public preview is redacted by design.)
Privacy of Scout PII
| Data | Visible to |
|---|---|
| Name, patrol, current rank | Anyone in the troop (parents and Scouts can see the roster). |
| Date of birth, school | Parent and Scout themselves only. Not on rosters. Not in audit log fields. Not in exports without explicit Council authorization. |
| Phone (Scout's, if any) | Parent and Scout themselves. Tap-to-call from the roster dials the parent's phone, never the Scout's. |
| Allergy information | The data model captures only a Y/N flag, not detail. The flag is visible to the Scout, parent, and the meal grub for review. Medical detail lives on the BSA medical form — never in Trailhead. |
| Photos | None in v1. |
What Council reviews periodically
When Council audits the troop's use of Trailhead, the deliverables are:
- A list of all registered leaders with their current SYT expiration dates. (Exportable by admin.)
- A confirmation that no audiences have been added or modified since the last review. (The audience set is in code; if it has changed, the change is in the audit log.)
- A sample of message-sent audit rows showing recipient counts on Scout-touching messages. (Every row should show ≥1 parent in the resolved recipients for messages addressed to audiences containing Scouts.)
- Any Scout-touching deletions or quiet-hours overrides. (Both are logged with reason.)
Trailhead's admin can produce all four reports in one CSV export, in the troop steward's office, in under 5 minutes.
What this means for Council's risk
Trailhead reduces the Council's YPT risk surface relative to the status quo:
- Today, troops coordinate via group texts, third-party signup tools, GroupMe, and Discord — most of which permit private DMs to minors and have no audit trail. Trailhead's adoption by a troop takes that risk off Council's surface area for that troop.
- The structural protections in Trailhead are more restrictive than YPT's published baseline (e.g., parents have inbox-parity with Scouts, beyond what YPT requires).
- The single-tenant deployment model means Trailhead has no path to cross-troop data leakage. One troop, one server.
Cost to the troop, the Council, and BSA
Zero. Trailhead is hosted by the volunteer who built it, on his own server, behind Cloudflare Tunnel, sustained by his company for five years. There is no subscription. There is no ad model. There is no email-harvesting rev share. There is no "pro tier" upsell. If the hosting deal ever ends, the codebase is self-host-able by any tech-comfortable parent in any troop.
— Plan at the trailhead. Live at the campsite.