Skip to main content
PropFlow AI
Start Free

Security & data posture

How we secure your data.

UK-hosted, encrypted in transit and at rest, authentication that doesn't depend on remembered passwords, audit trail on every change. The boring stuff, done right.

Hosting & infrastructure

PropFlow's database, authentication, and file storage all run on Supabase in the UK / EEA region. The application servers run on Railway. All customer data stays within UK / EEA jurisdiction by configuration.

Encryption

In transit: TLS 1.2+ on every connection. HSTS preload enabled. No HTTP fallback for any authenticated request.

At rest: AES-256 encryption on all stored data. Managed by Supabase at the storage layer.

Authentication

Sign in by magic link (email) by default. Password sign-in available for operators who prefer it. Turnstile CAPTCHA on every auth-bearing form (per Decision 070) protects against credential stuffing and automated abuse.

Access control

PropFlow uses Row-Level Security (RLS) at the Postgres layer. Authorisation is enforced by the database itself — not just by the application. A bug in the API layer cannot leak another organisation's data, because the database refuses to return it.

Roles are scoped per organisation: landlord, property manager, org admin, group admin, propflow admin. Tenants and tradespeople have separate role surfaces with their own access patterns.

Audit logging

Every change is attributed to a user with a trace ID propagated through the request lifecycle. Compliance certificate uploads, notice generation, tenancy changes, deletions, and access events are all logged.

The audit log is read-only for end users; it's the source of truth that backs the court-ready evidence pack.

Backups & recovery

Point-in-time recovery (PITR) managed by Supabase. We can restore the database to any moment in the previous 7 days. Backups are stored within the UK / EEA region.

Data residency & GDPR

PropFlow is a UK data controller. We process personal data under UK GDPR + PECR. A Data Processing Agreement (DPA) is available to customers on request — contact legal@propflow-ai.co.uk.

We use third-party services for payments (Stripe), messaging (Twilio), email (Resend), AI inference (Anthropic), e-signature (DocuSeal), and infrastructure (Supabase, Railway). The full sub-processor list is included with the DPA.

Responsible disclosure

Found a vulnerability? We'd like to know. Email security@propflow-ai.co.uk with a description, repro steps, and your preferred disclosure timeline.

We don't pay bounties (yet), but we credit reporters in our security advisories unless they request anonymity.

Need our DPA, sub-processor list, or a security questionnaire response? Talk to sales →

Built with the audit in mind from day one.

Try it free. Talk to sales if your procurement team needs more detail.

Start FreeTalk to sales