Property Appraiser Pro

Security

Last updated: 2026-04-17

Property Appraiser Pro stores appraisal workfiles and property data that are legally significant and often tied to federally related mortgage transactions. This page summarizes our approach to protecting that data.

Infrastructure

  • Hosting: Vercel (US regions) for application layer, Supabase (AWS us-east-1) for database and authentication.
  • Encryption at rest: AES-256 for all database and object storage (Supabase default).
  • Encryption in transit: TLS 1.2+ enforced on all endpoints, with HSTS (max-age=31536000; includeSubDomains) enabled.
  • Network: No inbound database access — all queries flow through the application layer with server-side authorization.

Authentication and Access Control

  • OAuth via Google and GitHub through Supabase Auth. Email and password authentication uses bcrypt hashing managed by Supabase.
  • Row-Level Security (RLS) enforced at the database layer on every tenant-scoped table. Users can only access data owned by their firm workspace.
  • Role-based access within firms: primary appraiser, co-appraiser, trainee, firm administrator.

Application Security

  • All user input validated at action and API boundaries using Zod.
  • Parameterized database access only — no raw SQL string interpolation.
  • Content Security Policy enforced with documented trade-offs; see our source for specifics.
  • Rate limiting applied to public and authenticated endpoints.

Payment Security (PCI)

We never touch card data. All payment flows use Stripe Checkout (hosted) and the Stripe Customer Portal. This places Property Appraiser Pro in PCI-DSS SAQ A scope — the simplest category, appropriate for merchants who fully outsource card handling to a PCI-validated processor.

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you believe you have found a vulnerability, please email security@propertyappraiserpro.com. Please include:

  • A clear description of the issue and potential impact.
  • Steps to reproduce.
  • Any proof-of-concept material.

We commit to acknowledging valid reports within 5 business days and to good-faith resolution on a reasonable timeline. We do not currently offer monetary bounties but will credit researchers who request acknowledgment. Please do not disclose vulnerabilities publicly before we have had an opportunity to respond.

Out of scope for disclosure: denial-of-service attacks, social engineering against us or our vendors, and testing against the live application in a way that degrades service for other users.

See also /.well-known/security.txt.

Data Retention and Export

Default retention aligns with USPAP workfile retention (five years). Users can export their data at any time through the application. See our Privacy Policy for full detail.

Breach Notification

We follow the New York SHIELD Act and other applicable breach notification laws. If a breach affects your data, you will be notified by email without unreasonable delay and in any case within the timelines required by law.

Compliance Posture

Property Appraiser Pro is pre-SOC 2 as of 2026-04-17. We maintain written security practices aligned with the SHIELD Act reasonable safeguards standard. SOC 2 Type 1 is on the roadmap and will be pursued when enterprise customer requirements warrant it.

Contact

Security questions: security@propertyappraiserpro.com