SmartRental Investor
Get Started

Data Security

Last updated: November 23, 2025

Our Security Commitment

At Software Harbor LLC, operator of SmartRental Investor, we take the security of your data seriously. This document outlines the comprehensive security measures we implement to protect your information from unauthorized access, disclosure, alteration, and destruction.

1. Infrastructure Security

1.1 Hosting and Network Security

  • Secure Hosting: Enterprise-grade cloud infrastructure with built-in DDoS protection
  • Firewalls: Web application firewall (WAF) to protect against common attacks
  • Network Isolation: Segmented network architecture with restricted access
  • Regular Updates: Automated security patches and system updates
  • Redundancy: Multiple availability zones for high availability

1.2 Physical Security

  • Data centers with 24/7 physical security
  • Biometric access controls
  • Security cameras and monitoring
  • Environmental controls (fire suppression, climate control)

2. Data Protection

2.1 Encryption

  • In Transit: All data transmitted using TLS 1.3 encryption (HTTPS)
  • At Rest: Database encryption using AES-256
  • Passwords: Bcrypt hashing with salt for password storage
  • Sensitive Data: Additional encryption for payment tokens and personal information

2.2 Data Minimization

  • We only collect data necessary for our Service
  • Regular data purging of unnecessary information
  • Anonymization of data where possible
  • No storage of payment card details (handled by Stripe)

2.3 Backup and Recovery

  • Daily automated backups
  • Geographically distributed backup storage
  • Regular restoration testing
  • Point-in-time recovery capabilities
  • Disaster recovery plan with RTO/RPO targets

3. Application Security

3.1 Authentication & Access Control

  • Secure Authentication: Managed by Supabase Auth
  • Session Management: Secure session tokens with automatic expiration
  • Password Requirements: Minimum 8 characters with complexity requirements
  • Account Lockout: Protection against brute force attacks
  • Email Verification: Required for new accounts

3.2 Security Best Practices

  • OWASP Compliance: Following OWASP Top 10 security guidelines
  • Input Validation: Sanitization of all user inputs
  • SQL Injection Prevention: Parameterized queries and ORM usage
  • XSS Protection: Content Security Policy (CSP) headers
  • CSRF Protection: Anti-CSRF tokens for state-changing operations
  • Rate Limiting: API rate limiting to prevent abuse

3.3 Code Security

  • Regular security audits and code reviews
  • Dependency vulnerability scanning
  • Static application security testing (SAST)
  • Secure development lifecycle (SDLC)
  • Version control with audit trails

4. Payment Security

4.1 PCI Compliance

  • Stripe Integration: PCI DSS Level 1 compliant payment processor
  • No Card Storage: We never store credit card numbers
  • Tokenization: Card details replaced with secure tokens
  • Secure Checkout: Embedded Stripe Checkout for secure payments
  • 3D Secure: Additional authentication for European cards

4.2 Transaction Security

  • Encrypted payment communications
  • Fraud detection and prevention
  • Secure webhook validation
  • Payment confirmation emails
  • Audit logs for all transactions

5. Monitoring & Incident Response

5.1 Security Monitoring

  • 24/7 Monitoring: Continuous security monitoring via Sentry
  • Error Tracking: Real-time error detection and alerts
  • Anomaly Detection: Unusual activity monitoring
  • Performance Monitoring: System health and availability tracking
  • Security Logs: Comprehensive logging of security events

5.2 Incident Response Plan

  • Detection: Automated alerts for security incidents
  • Assessment: Rapid evaluation of incident severity
  • Containment: Immediate action to limit impact
  • Eradication: Removal of threat and vulnerabilities
  • Recovery: Restoration of normal operations
  • Lessons Learned: Post-incident review and improvements

5.3 Breach Notification

In the unlikely event of a data breach that affects your personal information, we will:

  • Notify affected users within 72 hours of discovery
  • Provide details about what information was affected
  • Explain steps we're taking to address the breach
  • Offer guidance on protective measures you can take
  • Comply with all applicable breach notification laws

6. Third-Party Security

6.1 Vendor Assessment

We carefully vet all third-party service providers for security:

  • Security certifications review (SOC 2, ISO 27001)
  • Data processing agreements
  • Regular security assessments
  • Contractual security obligations

6.2 Key Service Providers

ProviderServiceSecurity Certifications
StripePayment ProcessingPCI DSS Level 1, SOC 1/2
SupabaseAuthentication & DatabaseSOC 2 Type II
VercelHostingSOC 2 Type II
SentryError MonitoringSOC 2 Type II, ISO 27001

7. Internal Security

7.1 Access Controls

  • Principle of least privilege
  • Role-based access control (RBAC)
  • Multi-factor authentication for admin access
  • Regular access reviews and audits
  • Immediate revocation upon termination

7.2 Employee Training

  • Security awareness training
  • Privacy and data handling training
  • Phishing and social engineering awareness
  • Incident reporting procedures
  • Regular security updates and briefings

7.3 Development Security

  • Secure coding practices
  • Code review requirements
  • Separate development/staging/production environments
  • No production data in development
  • Secrets management system

8. Compliance & Certifications

8.1 Regulatory Compliance

  • GDPR: EU data protection compliance
  • CCPA: California privacy rights compliance
  • PIPEDA: Canadian privacy law compliance
  • State Laws: Various US state privacy law compliance

8.2 Security Standards

  • OWASP Top 10 compliance
  • NIST Cybersecurity Framework alignment
  • Industry best practices adoption
  • Regular third-party security assessments

9. Your Security Responsibilities

Security is a shared responsibility. You can help protect your account by:

  • Strong Passwords: Use unique, complex passwords
  • Account Security: Don't share your login credentials
  • Email Security: Protect the email associated with your account
  • Device Security: Keep your devices and browsers updated
  • Phishing Awareness: Verify emails claiming to be from us
  • Secure Networks: Avoid using public WiFi for sensitive activities
  • Logout: Sign out when using shared computers
  • Report Issues: Immediately report any security concerns

10. Security Updates

We continuously improve our security measures. This includes:

  • Regular security audits and assessments
  • Prompt patching of identified vulnerabilities
  • Adoption of new security technologies
  • Updates to security policies and procedures
  • Ongoing staff training and awareness

11. Reporting Security Issues

If you discover a security vulnerability or have security concerns, please contact us immediately:

Security Team

Report Security Issue →

Please include:

  • Description of the issue
  • Steps to reproduce (if applicable)
  • Potential impact
  • Your contact information

We appreciate responsible disclosure and will acknowledge receipt within 24 hours. We ask that you not publicly disclose the issue until we've had a chance to address it.

12. Questions & Contact

For questions about our security practices or this document, please contact us:

Software Harbor LLC
Operator of SmartRental Investor
Security & Privacy Team
Miami, FL

Contact Us →

🔒 Security Promise

We are committed to maintaining the highest standards of data security and continuously improving our security measures to protect your information. Your trust is our top priority.