Security & trust

Boring is safer than clever.

We don't roll our own crypto. Every layer of RentCaddie sits on top of platforms that are individually SOC 2 certified — Vercel, Supabase, Stripe. Here's the entire stack, in plain English.

Row-level isolation

Every workspace's data is enforced at Postgres — a query physically cannot return another workspace's rows.

Rent never touches us

Stripe Connect routes rent directly from tenant to your bank. We see metadata only — never card numbers.

Your data, exportable

One click to JSON or CSV. Cancel anytime; we delete everything within 30 days (keeping only what regulations require).

The stack

Every layer is audited so we don't have to build security from scratch.

RentCaddie sits on top of SOC 2 Type II infrastructure. We're not asking you to trust our homegrown anything — we don't write any.

Edge · traffic in

Vercel Edge

TLS 1.3 on every connection, HSTS preload, DDoS protection at the anycast edge. Per-workspace domain routing via proxy.ts. SOC 2 Type II.

Application · request processing

Supabase Auth

Email + password authentication, sign-in flows, session JWTs. Passwords hashed with bcrypt on Supabase's side — we never see plaintext. MFA on the roadmap.

Next.js · Vercel Functions

Stateless Node.js on Fluid Compute. Every request enforces organization scope via cached helpers. Environment isolation per deployment.

Stripe Connect

Subscription billing + tenant rent collection. We get a customer_id and webhook events back — never full card numbers. PCI DSS Level 1.

Storage · at rest

Supabase Postgres

Row-level security enforces organization_id at the database. AES-256 encryption at rest. Point-in-time recovery, 30-day backup retention. SOC 2 Type II.

Supabase Storage

Lease PDFs, tenant ID scans, maintenance photos, cleaner photos. AES-256 at rest. Pre-signed URLs only — expire in 60 minutes. No public buckets.

Resend (transactional email)

Rent reminders, invites, signing links, notifications. Sent via your custom domain on Pro+, not ours.

How we think about this

Four principles, applied to every feature.

Least privilege by default.

A feature doesn't get database access unless it needs it. A user doesn't see another workspace's data — ever. Workspace isolation is enforced at the row level, not in application code, so a code bug can't leak data across tenants.

We don't roll our own crypto.

TLS 1.3 (not a custom channel), AES-256 (not a homegrown cipher), bcrypt via Supabase (not MD5 with salt). Every cryptographic primitive is battle-tested and audited. Boring is safer than clever.

Audit logs on every write.

Every create, update, and delete is logged with user, IP, timestamp, and payload diff. Logs are append-only and retained for 2 years. If something weird happens, we can reconstruct exactly what and when.

Your data is your data.

One-click export of every byte of your workspace to CSV or JSON. Cancel anytime and we delete everything within 30 days (keeping only what regulations require, like financial transaction records). We don't hold data hostage.

What we actually store

The receipts. Every field, every encryption state.

This is the inventory, not a marketing summary. Need more detail? Request our Data Processing Agreement at security@rentcaddie.com.

Data	Used for	At rest	In transit
Tenant name, email, phone	Login, rent reminders, portal access, lease variables	Encrypted	TLS 1.3
Tenant DOB / SSN last 4	Screening only — purged after 90 days when collected	Tokenized	TLS 1.3
Government ID scans	Application verification · pre-signed URLs only	Encrypted	TLS 1.3
Bank / card numbers	Never touched — held entirely by Stripe	Not stored	Not stored
Passwords	Never touched — hashed by Supabase Auth	Hashed	TLS 1.3
Lease PDFs	Signed leases, tenant downloads, certificate of completion	Encrypted	TLS 1.3
Maintenance + cleaner photos	Ticket context, inspection evidence (watermarked)	Encrypted	TLS 1.3
Audit logs	Who did what, when, from where · 2-year retention	Encrypted	TLS 1.3
Analytics / telemetry	Aggregated counts only · no PII	Not stored	TLS 1.3

Access control

Who can see what in your workspace.

Every row in the database is scoped to an organization_id. Row-level security policies enforce this at Postgres — not just in application code.

●You & your team — full workspace access, scoped by member role (Owner / Admin / Manager / Accountant / Field staff / Viewer)
●Your tenants — only their own data — rent, lease, maintenance, notifications
●Your cleaners / inspectors — only the jobs and properties you assign them
●RentCaddie engineers — metadata + telemetry only by default; raw tenant data requires your in-product approval and is logged

If something goes wrong

Our incident playbook, plainly.

We disclose to affected customers by email within 30 minutes of detection — not 72 hours, not "by EOD."

●Acknowledged publicly on status.rentcaddie.com within 15 min
●Affected customers emailed directly within 30 min
●Full root-cause postmortem within 5 business days
●Regulators + affected users notified per GDPR/CCPA timelines if data exposed

Security FAQ

The questions people actually ask.

Where is my data physically located?+

Primary Postgres in AWS us-east-1 (N. Virginia) via Supabase. Backups replicated to a separate region. Files in Supabase Storage in the same US region. EU residency available on request for Enterprise.

Can your engineers see my tenant data?+

No, not by default. Our engineers see metadata and workspace-aggregated counts. To access raw tenant data (say, to debug something you reported), we require your written approval and every break-glass access is logged. Approval auto-expires.

What happens to my data when I cancel?+

You get 30 days to export everything (CSV + JSON, one click). After 30 days your workspace is deleted from production. Encrypted backups age out within 90 days after deletion. Financial transaction records are retained per IRS / state requirements (typically 7 years) but anonymized.

Do you have MFA / SSO?+

Email + password today via Supabase Auth. MFA (TOTP) and SSO (Google Workspace, Microsoft Entra, Okta, SAML) are on the roadmap. If you need SSO before we ship it, tell us.

Are you HIPAA compliant?+

No. RentCaddie isn't designed for protected health information. Don't store PHI in tenant records or maintenance notes. If you operate assisted living and need HIPAA, talk to us — it's on the Enterprise roadmap but not available today.

Can I get a signed DPA?+

Yes — email security@rentcaddie.com. Our standard DPA follows the EU SCCs (Module Two).

How do you handle penetration tests?+

Internal red-team exercises happen continuously as part of code review. A third-party penetration test is on the roadmap as we approach SOC 2. Redacted report available to Scale + Enterprise customers under NDA once complete.

Where does the rent actually go?+

Straight from your tenant's bank or card to your bank, via Stripe Connect. Never through ours. You own the Stripe Connect account — we just orchestrate the payment_intent. If RentCaddie disappeared tomorrow, rent would still arrive in your account.

Responsible disclosure

Found a bug? We want to hear about it.

Email security@rentcaddie.com. We respond within 24 hours, fix within the severity SLA (critical: 24h / high: 72h / medium: 2 weeks). Bounties negotiated based on impact.

Report a bug

Need to give this to your compliance team?

We'll send the full security one-pager (PDF) or hop on a call to walk through anything on this page.

Request one-pager Read the privacy policy

Last reviewed: May 2026