Platform Governance

Who Controls What — and Who Doesn't

Governance on Child First is deliberately constrained. No single party can move funds unilaterally. This page documents how decisions are made today and where we are heading.

Core Governance Principle

The smart contracts are the constitution. They enforce rules that no human — including the platform owner — can override. Governance exists only to fill the gaps the contracts cannot cover: approving operators, verifying impact claims, and evolving the platform over time.

Roles & Permissions

RoleCan DoCannot Do
OwnerPlatform Owner
  • Whitelist / blacklist operator addresses (off-chain review)
  • Deploy upgraded contract versions
  • Publish platform-wide policies
  • Pause a campaign in emergency (on-chain pause function)
  • Move campaign funds directly
  • Override a milestone outcome unilaterally
  • Bypass the dual-approval disbursement gate
  • Access donor wallet keys or personal data
OperatorCampaign Operator
  • Deploy a new Campaign contract via the Factory
  • Submit milestone completion evidence
  • Request a disbursement (first signature)
  • Update campaign metadata (title, description, images)
  • Receive funds without Director co-signature
  • Modify the campaign's beneficiary address post-deploy
  • Issue or revoke donor NFT receipts
  • Access other operators' campaigns
DirectorCampaign Director
  • Review milestone evidence submitted by the Operator
  • Approve or reject a disbursement request (second signature)
  • Flag suspected fraud to the platform owner
  • Initiate a disbursement (must be Operator-first)
  • Change beneficiary addresses
  • Access donated funds without the Operator's co-signature
DonorDonor
  • Donate MATIC and receive a soulbound NFT receipt
  • View all transactions, milestones, and disbursements on-chain
  • Report campaign concerns to the platform
  • Request a refund if a campaign closes below its goal (v2 roadmap)
  • Transfer their soulbound NFT receipt (prevents donation recycling)
  • Control how funds are disbursed — that is the Director's role

How a Disbursement is Approved

Every time funds move from a campaign contract to a beneficiary, two independent parties must sign off. This is enforced on-chain.

1

Milestone Completion Claim

The Operator marks a milestone complete on-chain and attaches a hash of the supporting evidence (photos, receipts, reports) stored in decentralised storage.

2

Director Review

The Director — independent of the Operator — reviews the evidence link and either approves or rejects the milestone.

3

Dual-Sign Disbursement

With both signatures present, the campaign contract releases the milestone tranche directly to the pre-configured beneficiary address.

4

On-Chain Record

A Disbursement event is emitted and permanently recorded. The amount, timestamp, beneficiary, and both signatories are visible to anyone on Polygonscan.

5

NFT Metadata Update

Donor NFT receipts are updated to reflect the latest disbursement milestone — donors can always see the current impact state of their contribution.

Conflict-of-Interest Policy

🚫

Operator ≠ Director

The Director of a campaign must be independent of the Operator. A single entity cannot hold both roles on the same campaign.

🔒

No Operator–Beneficiary Identity

The operator organisation may not be the primary beneficiary of the funds they administer. Beneficiary addresses are locked at deploy time.

📣

Disclosure Requirement

Any financial relationship between an Operator and a Director must be disclosed to the platform owner before campaign launch.

Annual Re-attestation

All approved operators re-attest conflict-of-interest disclosures annually. Failure to re-attest suspends new campaign creation.

Becoming an Operator

Operators are the on-the-ground administrators of individual campaigns. They submit milestone completion evidence and request disbursements. Operator approval is the primary human-trust gate on the platform.

Eligibility Criteria

  • Registered legal entity (non-profit, NGO, CBO, or equivalent) with a minimum 12-month operating history.
  • Published financial statements or equivalent third-party audit for the most recent fiscal year.
  • Designated responsible officer who provides personal identity verification (KYC).
  • Verifiable track record of direct child welfare programming.
  • Signed commitment to the Child First Platform Code of Conduct.
  • Ethereum/Polygon wallet under exclusive organisational control (not a custodial exchange address).

Application Process

  1. Submit organisation registration documents and proof of charitable status.
  2. Provide three verifiable references from beneficiary communities or co-operating NGOs.
  3. Agree to the Operator Code of Conduct and on-chain identity attestation.
  4. Await platform review (≤10 business days). Approved operators are whitelisted at the CampaignFactory contract level.
  5. Pilot with a capped campaign (≤500 MATIC) for an initial 60-day probation period.

Contact: operators@childfirst.io (launch mailbox — not active until Q3 2026).

How Platform Rules Change

Until the community DAO is established, changes to off-chain platform rules follow a structured review process:

01

Proposed change is documented and published at governance.childfirst.io with a 14-day public comment period.

02

All active operators are notified by email with a direct link to the proposal.

03

Substantive objections are reviewed; platform owner responds publicly to each.

04

Change is finalised or withdrawn. If finalised, a minimum 7-day notice period precedes implementation.

05

Post-implementation review after 30 days; any negative outcomes trigger an immediate roll-back assessment.

Smart contract parameters (fee rate, milestone rules) require a contract upgrade. All upgrades will be announced at least 30 days in advance and the old contract will accept no new campaigns while the upgrade is pending.

Road to Community Governance

The current governance model is intentionally simple — it removes attack surface during the platform's early, highest-risk phase. As volume and trust grow, control progressively transfers to the community.

1

Phase 1 — Constrained Launch

Now → Q2 2026
  • Platform owner holds all administrative keys
  • Operators whitelisted by manual review only
  • Directors appointed per-campaign by the platform owner
  • All governance decisions documented publicly
2

Phase 2 — Operator Council

Q3 2026
  • Top 5 operators by verified campaign volume form an advisory council
  • Council votes on new operator applications (advisory, not binding)
  • Dispute resolution board introduced for milestone disagreements
  • Quarterly governance report published on-chain
3

Phase 3 — Community DAO

Q4 2026 — Q1 2027
  • Governance token or NFT-weighted voting introduced
  • DAO controls platform fee parameters (capped at 0% indefinitely by constitution)
  • Operator whitelisting passes to DAO vote
  • Platform owner retains only emergency pause key
  • Smart contract governance via timelock controller
4

Phase 4 — Full Decentralisation

2027+
  • Emergency pause key transferred to a multi-sig DAO committee
  • Platform owner has no privileged access
  • Constitution changes require 67% supermajority DAO vote
  • All governance activity on-chain, fully auditable

Reporting Concerns

Any donor, operator, director, or member of the public may report suspected misconduct. Reports are treated as confidential. Retaliation against good-faith reporters is a permanent ban offence.

Reporting channel: whistleblower@childfirst.io (encrypted via PGP on request) | Policy document: WHISTLEBLOWER_POLICY.md

Verify Everything On-Chain

Every rule described here is backed by auditable smart contract code. Don't take our word for it — read the contracts.

View Transparency ReportRead the Whitepaper