Security Overview

Last updated: 23 June 2026

Property managers handle sensitive data every day — tenant IDs, lease contracts, cash flows, payment records. This page explains what RentalTracker does to protect that data, what you as a Customer are responsible for, and what we don't yet have (we'd rather be honest than overstated).

Architecture

• Cloud infrastructure operated by Supabase (database, auth, storage) and Vercel (web hosting, CDN)
• All data is stored in managed PostgreSQL with automated failover
• Static assets served from a global edge CDN with DDoS protection
• No customer data is stored on company laptops or ad-hoc servers

Encryption

• In transit — TLS 1.2 or higher on every connection. HSTS enabled; HTTP redirects to HTTPS.
• At rest — AES-256 on database storage and backups (via our cloud provider's default encryption).
• Passwords — never stored as plaintext. Handled by Supabase Auth using bcrypt-equivalent hashing.
• Emirates ID photos — stored in Supabase Storage with signed-URL access (links expire); only authenticated users with row-level access can retrieve.

Access control

• Row-Level Security (RLS) — every database table has RLS policies ensuring one organisation cannot read or write another's data. Policies are enforced at the Postgres layer, not just in application code.
• Role-based access — within your org, different roles (Owner, Manager, Accountant, Staff) have different read/write permissions. Cash handover chain enforces separation of duties.
• Append-only audit log — cash handovers, permission changes and soft-deletes write to an append-only audit table. History cannot be rewritten from the product.
• Service-role key — the privileged key that bypasses RLS is used only by our server-side edge functions and is never shipped to browsers or mobile apps.
• Multi-factor authentication on administrative access to the underlying cloud providers.

Backups and recovery

• Automated daily database backups with a 30-day retention window.
• Point-in-time recovery available within the retention window (to the nearest minute).
• You can export all your data at any time as CSV or JSON, so you retain a copy you control.
• On account cancellation, active data is deleted within 30 days; backups are purged within 90 days.

Logging and monitoring

• Every authentication event, permission change, and destructive action (delete, void, refund) is logged.
• Infrastructure provider logs capture request-level telemetry, retained for at least 90 days.
• Unusual sign-in patterns (new country, impossible travel) trigger additional challenges on supported flows.
• Error tracking is configured to scrub personal data before recording.

Incident response

• Runbooks for common incidents (credential leak, database compromise, cloud-provider outage).
• On confirmation of a personal-data breach, we notify affected users and relevant authorities within 72 hours in line with UAE PDPL and GDPR.
• Post-incident reviews for anything customer-visible, with follow-up actions tracked to completion.

Secure development

• All code changes reviewed before merging.
• Dependency scanning for known vulnerabilities; high-severity patches applied promptly.
• Secrets managed via encrypted environment variables; never committed to source control.
• Type-checked TypeScript across the codebase to prevent whole classes of runtime bugs.

What we don't yet have

We're early-stage. In the interest of transparency, these are on the roadmap but not yet in place:

• SOC 2 Type II or ISO 27001 certification
• Penetration testing by an independent third-party firm (planned as customer volume grows)
• A public security status page
• A formal bug-bounty program (informal disclosures welcome at security@rentaltracker.io)
• Multi-factor authentication for end-user sign-in (MFA on admin cloud accounts is already in place)

Your responsibilities

Security is a shared responsibility. You are responsible for:

• Choosing a strong, unique password and not sharing it
• Keeping your devices secure with screen lock, OS updates and anti-malware
• Granting minimum-necessary roles to your team members
• Ensuring you have lawful basis to upload any personal data about tenants, staff or landlords, and providing them with privacy notices as required
• Promptly reporting suspected unauthorised access to security@rentaltracker.io

Reporting a security issue

Found a vulnerability? Email security@rentaltracker.io with as much detail as you can. Please do not post publicly until we've had a chance to fix it. We'll acknowledge within 48 hours and keep you updated through resolution.

Related

• Privacy Policy — what personal data we collect and why
• Data Processing Addendum — terms when we process data on your behalf
• Terms of Service — overall agreement

← Back to home