RentlabSign In

Security Policy

Last Updated: October 2, 2025

At Rentlab, we take the security of your data seriously. This document outlines our security practices, policies, and procedures to protect your information.

Scope

This security policy applies to all data collected and processed through Rentlab, including our website and services, regardless of your location. It covers how we protect your rental property accounting data, authentication credentials, and personal information.

Our Security Approach

As a focused, lean operation, we prioritize security through strategic partnerships with enterprise-grade infrastructure providers. Rather than building custom security systems from scratch, we leverage battle-tested, independently audited platforms that provide the same level of protection used by large enterprises:

  • Enterprise Infrastructure: Hosting on security-certified cloud providers (Vercel, Supabase)
  • Modern Secure Frameworks: Using secure-by-default authentication and database systems
  • Industry Standards: Following OWASP guidelines and security best practices
  • Encryption Everything: All data encrypted in transit and at rest
  • Certified Partners: Working exclusively with SOC 2, ISO 27001, and PCI DSS certified service providers

This approach delivers enterprise-level security without requiring a large internal security team, allowing us to provide robust protection while maintaining the responsiveness and agility of a focused operation.

1. Data Security

Encryption

  • In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 or higher
  • At Rest: All data stored in our databases is encrypted using industry-standard AES-256 encryption
  • Passwords: User passwords are hashed using bcrypt with salt rounds, ensuring one-way encryption

Database Security

  • Row Level Security (RLS): All database tables implement Row Level Security policies to ensure users can only access their own data
  • Parameterized Queries: All database queries use parameterized statements to prevent SQL injection attacks
  • Backup & Recovery: Daily automated backups with point-in-time recovery capabilities
  • Access Control: Strict database access controls with least-privilege principles

2. Authentication & Access Control

Authentication Methods

  • OAuth 2.0: Integration with Google OAuth for secure third-party authentication
  • Session Management: Secure session tokens with automatic expiration and refresh mechanisms
  • Multi-Factor Authentication: Additional authentication factors available through OAuth providers

Access Controls

  • Role-based access control (RBAC) for different user permission levels
  • API rate limiting to prevent brute force attacks
  • Account lockout policies after multiple failed login attempts
  • Automatic session timeout for inactive users

3. Application Security

Input Validation & Sanitization

  • All user inputs are validated using Zod schemas
  • XSS (Cross-Site Scripting) prevention through input sanitization and Content Security Policy
  • CSRF (Cross-Site Request Forgery) protection on all state-changing operations
  • File upload validation and scanning (if applicable)

Secure Development Practices

  • Automated dependency scanning for known vulnerabilities using industry-standard tools
  • Security-focused code analysis and linting tools
  • Following OWASP security guidelines and modern web security best practices
  • Leveraging secure-by-default frameworks (Next.js, React) that provide built-in protections
  • Prompt application of security patches and dependency updates

4. Infrastructure Security

Hosting & Network Security

  • Cloud Infrastructure: Hosted on security-certified cloud providers (Vercel, Supabase)
  • DDoS Protection: DDoS protection provided by our hosting infrastructure
  • Firewall Rules: Network segmentation and firewall protections managed by our cloud providers
  • Monitoring: Continuous infrastructure monitoring and alerting through our hosting providers

Backup & Data Recovery

  • Automated Backups: Daily automated backups managed by Supabase with point-in-time recovery capabilities
  • Backup Storage: Backups stored in geographically distributed locations for redundancy
  • Recovery Validation: Backup integrity validation through automated systems provided by Supabase
  • User Data Export: We encourage users to periodically export their data using our built-in export features to maintain personal backup copies

Third-Party Services

We carefully vet all third-party services and ensure they meet our security standards:

  • Supabase: SOC 2 Type II compliant database and authentication
  • Stripe: PCI DSS compliant payment processing
  • Vercel: ISO 27001 certified hosting platform

5. Privacy & Compliance

Data Privacy

  • We follow privacy-by-design principles in all feature development
  • User data is never shared with third parties without explicit consent
  • Users have full control over their data with export and deletion capabilities
  • See our Privacy Policy for detailed information

Compliance

  • GDPR: Compliance with EU General Data Protection Regulation - see our Privacy Policy
  • CCPA: Compliance with California Consumer Privacy Act - see our Privacy Policy
  • SOC 2 Aligned: Following security principles aligned with SOC 2 frameworks through our SOC 2 Type II certified infrastructure providers

6. Incident Response

Security Incident Procedures

In the event of a security incident, we follow a structured response process:

  1. Detection & Analysis: Immediate investigation and impact assessment
  2. Containment: Isolation of affected systems to prevent spread
  3. Eradication: Removal of threat and vulnerability patching
  4. Recovery: Restoration of services and data validation
  5. Notification: Prompt notification to affected users as required by law
  6. Post-Incident Review: Analysis and improvement of security measures

Incident Notification

We will notify affected users promptly upon discovering a data breach that affects their personal information. In accordance with applicable data protection laws (such as GDPR), notifications are typically provided within 72 hours of confirming the breach and assessing its impact.

Response Scope

Our incident response procedures are scaled based on severity and impact. Minor incidents such as isolated account issues or failed login attempts are addressed as they occur through our standard support channels. Major incidents involving potential data breaches, system-wide security threats, or service disruptions trigger our full formal incident response process outlined above. This approach ensures efficient resource allocation while maintaining comprehensive security coverage.

7. User Responsibilities

Best Practices for Users

You can help keep your account secure by following these recommendations:

  • Use a strong, unique password for your Rentlab account
  • Enable two-factor authentication through your Google account if using OAuth
  • Keep your browser and operating system up to date
  • Be cautious of phishing attempts and suspicious emails
  • Log out of your account on shared or public devices
  • Review your account activity regularly
  • Report any suspicious activity immediately

8. Vulnerability Disclosure

Responsible Disclosure Policy

We welcome security researchers and users to report vulnerabilities responsibly:

Reporting a Vulnerability

If you discover a security vulnerability, please report it to us at:

Email: security@rentlab.app

Please include the following information:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Any suggested fixes (optional)

Our Commitment

  • We will acknowledge receipt of your report within 48 hours
  • We will investigate and validate reported vulnerabilities promptly
  • We will keep you informed of our progress in addressing the issue
  • We will credit researchers who report valid vulnerabilities (unless anonymity is requested)

Rules of Engagement

When testing for vulnerabilities: only test your own account, don't access other users' data, avoid degrading service availability, and don't publicly disclose vulnerabilities before we've addressed them.

9. Security Updates

Continuous Improvement

We continuously monitor and improve our security posture:

  • Ongoing security monitoring and threat assessment
  • Following security best practices and staying current with emerging threats
  • Prompt application of security patches and vulnerability fixes
  • Regular review and update of security policies and procedures
  • Leveraging security audits conducted by our infrastructure providers (Supabase SOC 2, Vercel ISO 27001)

Transparency

We believe in transparency regarding our security practices. This security policy is regularly reviewed and updated to reflect our current practices and industry standards.

10. Contact Information

For security-related questions or concerns:

11. Changes to This Policy

We may update this security policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. The "Last Updated" date at the top of this page indicates when this policy was last revised.

We encourage you to review this policy periodically to stay informed about how we're protecting your information.

Note: This security policy is provided for informational purposes. For specific security concerns or to report a vulnerability, please contact our security team directly.

Privacy PolicyTerms of ServiceCookie PolicyAccessibilityRefundsPrivacy RequestBack to Home