Encryption at rest + in transit
All data is stored encrypted (AES-256) and transferred over TLS 1.2+. Supabase Postgres + Storage handle the at-rest encryption; we never see plaintext keys.
Row-level security on every tenant boundary
Tenant A can never read Tenant B's data — enforced in the database, not just the app code. RLS policies are reviewed by every migration and the test suite asserts cross-tenant isolation.
TOTP 2FA available for every account
Optional but available on free plans. We support all standard authenticator apps (1Password, Authy, Google Authenticator, etc.) and SMS as a fallback.
Full audit log of landlord actions
Every landlord-initiated change to tenant data is logged with actor, timestamp, IP, and old/new values. Logs are immutable + retained for the lifetime of the account.
Service-role isolation
The Supabase service-role key is server-only; it never reaches the browser. Every API endpoint that uses it has an explicit auth gate before any privileged query runs.
Role-based staff permissions
Org members are owner / admin / manager / leasing / maintenance / accountant / viewer. Each role has tightly scoped action permissions enforced at the API layer + in SQL.
PCI-compliant payments
We never store card numbers or bank credentials. Stripe handles all payment storage + processing. Auto-pay uses Stripe SetupIntents; only payment method IDs (pm_*) live in our database.
Fair Housing guardrails on AI output
Every AI-generated message, listing description, or notice goes through a Fair Housing Act check before reaching a tenant or applicant. Protected-class language is rejected, not just warned about.
Your data is portable
CSV export of tenants, leases, payments, ledger, documents — available any time from Account → Data export. Cancel anytime; data stays accessible through the end of your billing period.
Brute-force throttling
Sign-in attempts are throttled per-email (8/15min) and per-IP (20/15min). Failed logins are logged service-role-only for security review.
We do not have a SOC 2 report today — we're a young company. Formal SOC 2 Type II is on the roadmap for the year. In the meantime, we're happy to share architecture diagrams, the migration history, and answer specific questions from your security team.
Contact our security team