Security

PropDocket handles property data, account credentials, and billing information. We treat every piece of data with the same level of care — applying defense-in-depth principles across our infrastructure, application layer, and operational practices.

Infrastructure

• Hosting: Our application and database are hosted on Supabase infrastructure in the United States, with managed PostgreSQL databases that are automatically backed up daily.
• CDN & Edge: Static assets and the web application are served through Vercel's global edge network, providing DDoS protection and automatic TLS termination.
• Isolation: Each customer's data is logically isolated using row-level security (RLS) policies enforced at the database level — not just the application layer.

Encryption

• In transit: All traffic between your browser and PropDocket is encrypted with TLS 1.2+ (HTTPS). API calls, webhook payloads, and third-party integrations also use encrypted channels.
• At rest: Database storage is encrypted at rest using AES-256. Backups are also encrypted.
• Passwords: User passwords are hashed with bcrypt before storage. We never store or log plaintext passwords.

Authentication & Access Control

• OAuth 2.0: We support Google OAuth for secure single sign-on. OAuth tokens are short-lived and scoped to the minimum required permissions.
• Session management: Sessions are managed via secure, HttpOnly cookies with automatic expiration. Session tokens are rotated on privilege changes.
• Row-level security: Database queries are scoped by organization using Supabase RLS policies, ensuring users can only access data belonging to their organization.

Payment Security

All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. PropDocket never receives, processes, or stores full credit card numbers. We retain only Stripe customer IDs, subscription status, and invoice references.

Data Handling

• Public records only: Property data in PropDocket reports is sourced from public records — Florida DOR, county property appraisers, FEMA flood maps, and ASCE standards. We do not collect or store private personal information about property owners beyond what is publicly available.
• Minimal data collection: We collect only the information necessary to provide the service — account details, billing data, and usage analytics.
• Data deletion: Account data is deleted within 30 days of account closure. Users can request data export or deletion at any time.

Monitoring & Incident Response

We monitor application and infrastructure health continuously. Automated alerts notify our engineering team of anomalies, errors, or suspicious activity. In the event of a security incident, we follow a documented response process that includes containment, investigation, notification, and remediation.

Responsible Disclosure

If you discover a security vulnerability in PropDocket, we appreciate your help in disclosing it responsibly. Please email [email protected] with details of the issue. We will acknowledge receipt within 48 hours and work to resolve confirmed vulnerabilities promptly.