PF
PropFlowProperty operations platform
LoginStart free trial
Data Protection & Security

How PropFlow protects your data with enterprise-grade security measures.

Technical and organisational security measures, sub-processor certifications, data retention schedule, breach response procedure, and your compliance obligations as a workspace operator.

Active & Compliant

This policy is maintained dynamically and is binding worldwide. Last updated: June 18, 2026.

Legal Overview
SECTION 01

1. Security Framework

PropFlow's security architecture is designed to protect data in transit, at rest, and during processing — aligned with GDPR Article 32, CCPA/CPRA reasonable security requirements, PDPA security obligations (Singapore), and DPDP reasonable security safeguards (India).

SECTION 02

2. Technical Security Measures

Data in transit: all communication encrypted using TLS 1.2+. HTTPS enforced on all routes. API communications use HTTPS-only endpoints; webhook signatures verified using HMAC-SHA256.

Data at rest: database data encrypted at rest by Supabase (AES-256). Document files stored in Supabase Storage with server-side encryption and accessible only via time-limited pre-signed URLs. Passwords hashed by Clerk — never stored in plaintext. Secrets stored as Vercel encrypted environment variables, never in code.

Access controls: Row-Level Security (RLS) on all database tables — every query is scoped to workspace_id, preventing cross-tenant data access. Clerk-managed JWTs validated on every protected route. Privileged route guards enforce workspace membership before any write. Principle of least privilege enforced per user role.

HTTP security headers: X-Frame-Options: DENY (clickjacking), X-Content-Type-Options: nosniff (MIME sniffing), X-XSS-Protection: 1; mode=block, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy restricts camera, microphone, geolocation, and payment.

Rate limiting and abuse prevention: all write APIs rate-limited via Supabase RPC. Public endpoints (contact, newsletter, AI chat) rate-limited per IP. Cloudflare Turnstile CAPTCHA on sensitive unauthenticated forms. MFA supported for all user types via Clerk.

SECTION 03

3. Sub-Processors & Certifications

Supabase (database & storage): SOC 2 Type II, GDPR, CCPA.

Clerk (authentication): SOC 2 Type II, GDPR, CCPA, HIPAA-eligible.

Stripe (billing): PCI DSS Level 1, SOC 1 & 2, GDPR.

Vercel (hosting): SOC 2 Type II, GDPR, ISO 27001.

Resend / Brevo (email): GDPR, SOC 2 / ISO 27001.

OpenAI (AI assistant): SOC 2 Type II, GDPR (API usage policy applies — do not enter sensitive personal data in chat).

Sentry (error monitoring): SOC 2, GDPR, CCPA.

All sub-processors are bound by Data Processing Agreements (DPAs).

SECTION 04

4. Data Retention Schedule

Active workspace data: retained for the duration of the active subscription.

Account and billing records: subscription term plus 7 years (financial/legal obligation).

Terminated workspace data: 90 days post-termination, then deleted on request.

Error logs (Sentry): 90 days rolling.

Rate limiting counters: up to 1 hour (window duration only).

Newsletter subscribers: until unsubscribe or consent withdrawal.

Contact form submissions: 3 years.

Audit logs: 3 years.

Backup snapshots: 30 days rolling.

SECTION 05

5. Data Breach Response

Step 1 — Containment (within 1 hour): isolate affected systems, revoke compromised credentials, preserve evidence.

Step 2 — Assessment (within 24 hours): determine scope, data categories affected, number of individuals impacted, and likelihood of harm.

Step 3 — Supervisory authority notification (within 72 hours where required): notify the relevant DPA (e.g., ICO in the UK, relevant EU SA, PDPC in Singapore) where the breach is likely to result in a risk to individuals' rights.

Step 4 — Individual notification (without undue delay): where the breach poses a high risk to individuals, notify affected workspace administrators and, where applicable, end users directly.

Step 5 — Remediation and documentation: implement fixes, document all actions taken, and update the internal breach register.

SECTION 06

6. Operator Responsibilities

Workspace operators are responsible for ensuring that personal data entered into the platform is collected and processed lawfully in their jurisdiction. This includes: obtaining all necessary consents from tenants and applicants; providing appropriate privacy notices to data subjects; configuring access controls; enabling MFA; promptly notifying PropFlow of any security incident; and not uploading special-category data without a clear legal basis.

SECTION 07

7. Jurisdiction Compliance Summary

EU/EEA — GDPR: lawful basis, DPAs, SCCs for transfers, 72-hour breach notification, full data subject rights.

UK — UK GDPR + DPA 2018: same as EU GDPR under retained UK law; UK IDTAs for transfers.

USA (California) — CCPA/CPRA: no sale of data; right to know, delete, correct, opt-out, portability.

USA (Federal) — DMCA, FTC Act: DMCA agent designated; no deceptive practices.

Singapore — PDPA: consent before collection; mandatory breach notification to PDPC.

Japan — APPI: consent for sensitive data; breach notification to PPC.

India — DPDP Act 2023: lawful processing; grievance officer available.

China — PIPL: separate consent for sensitive data; cross-border transfer assessment.

Australia — Privacy Act + APPs: notifiable data breach scheme.

Canada — PIPEDA / Law 25: meaningful consent; breach notification where required.

For data protection enquiries, contact us at propflowhq.com/contact. Unsatisfied with our response? Lodge a complaint with your national supervisory authority.