HTTPS enforced, CSRF on financial actions, Stripe for payments with no card storage. FCRA-compliant screening, audit logs, role-based access, and SSN encryption at rest.
No unit minimums • From $19/month • No credit card required
Query and view audit logs for agency deletions and other critical operations
| Timestamp | Operation | Resource Type | Performed By | Outcome |
|---|---|---|---|---|
| 10:42 AM | DOCUMENT_SIGNED | DOCUMENT | user@example.com | SUCCESS |
| 10:38 AM | DOCUMENT_SENT | DOCUMENT | user@example.com | SUCCESS |
| 10:15 AM | AGENCY_UPDATE | AGENCY | admin@agency.com | SUCCESS |
Data breaches and FCRA mistakes are costly. We build in HTTPS, CSRF protection, audit logs, and role-based access so you can focus on running your properties.
Before
One data breach or compliance slip can cost you thousands. Tenant SSNs, lease data, and payment info need to be protected and handled correctly.
After
Sensitive data like SSN is encrypted at rest with AES-256. HTTPS is enforced for all traffic. Financial server actions are protected with CSRF tokens. Payments go through Stripe so we never store card data.
Before
Fair Credit Reporting Act rules are strict. Wrong disclosures, missing consent, or poor record-keeping can lead to fines and lawsuits.
After
Tenant screening is powered by an FCRA-qualified consumer reporting agency. Disclosures and consent are part of the flow. Screening retention and backup capability support compliance and audit needs.
Before
You need to know who did what and when. Without an audit trail, disputes and compliance reviews become a nightmare.
After
Document operations and critical actions are logged to an audit log. Query by resource type, operation, and outcome. Export for compliance and internal review.
Before
Team members and tenants should only see what they are allowed to see. One shared login or weak access control creates risk.
After
Clerk handles authentication. Role-based access is enforced in middleware and layouts. Guests are restricted from settings; tenants see only their assigned properties. Your scope, your data.
Multiple layers: secure transport, validated actions, verified webhooks, and scoped access.
HTTPS is enforced. We set X-Frame-Options, HSTS, and Content-Security-Policy so browsers and payment forms are protected. API responses include X-Content-Type-Options where needed.
Financial server actions require a valid CSRF token. Stripe webhooks are verified with the signing secret before we update payments or subscriptions. No blind trust of incoming requests.
Middleware and layouts enforce role-based access. Tenants see only their properties; guests are blocked from settings. Critical operations and document events are logged for audit and compliance.
HTTPS and headers, CSRF on financial actions, Stripe (no card storage), audit log, role-based access, SSN encryption at rest, rate limiting, and backup capability.
All traffic uses HTTPS. Security headers are set app-wide: X-Frame-Options (SAMEORIGIN), Strict-Transport-Security, and Content-Security-Policy. API routes send X-Content-Type-Options: nosniff.
Server actions for expenses, income, and other financial mutations validate a CSRF token before running. Tokens are generated with a cryptographically secure method and validated on the server.
Rent and fees are processed through Stripe. We do not store payment card data on our servers. Stripe webhooks are verified with signature validation before any update. PCI scope is reduced by using Stripe.
Critical operations and document events (sent, signed, completed, archived) are written to an audit log. Admins can query by resource type, operation, and outcome, and export for compliance.
Middleware and layouts enforce access by role. Agency owners, admins, guests, and tenants each see the right scope. Subaccount guests are blocked from settings; tenants are restricted to their properties.
Social Security Numbers are encrypted with AES-256-GCM before storage. Key rotation is supported. Decryption is server-side only. Aligns with FCRA and PCI-DSS handling of sensitive identifiers.
Public-facing flows are rate limited to reduce abuse. Showing bookings and contact form submissions are limited per email or IP per hour. Protects against spam and resource exhaustion.
Admins can generate database and full backups (DB plus PDFs) for compliance and recovery. Screening data retention follows a tiered policy with cold storage for FCRA retention requirements.
HTTPS, CSRF protection, Stripe payments, audit logs, and role-based access. From $19/month.