Encryption
TLS 1.3 in transit. AES-256 at rest. Bcrypt password hashing with a work factor of 12.
Infrastructure
Hosted on Vercel and Neon (both SOC 2 Type II). Cloudflare DDoS protection in front. DB backups every 6h.
Access control
Strict tenant isolation. Residents only see their unit's data. Cross-org access is impossible by design.
Payments
We never store card or bank account numbers. Stripe handles all payment data (PCI DSS Level 1).
Certifications & audits
| Standard | Status | Notes |
|---|---|---|
| SOC 2 Type II | In progress | Target: Q3 2026 |
| Penetration test | Scheduled | Annual third-party test |
| PCI DSS | Covered via Stripe | We never touch card data |
| GDPR / CCPA / PIPEDA | Compliant | See our GDPR page |
| HIPAA | N/A | We don't handle PHI |
Bug bounty
We pay for responsibly disclosed bugs
Find a security issue? We pay $50–$5,000 depending on severity. Safe harbor for good-faith research.
See bug bounty program →Vulnerability disclosure
Found a security issue? Email security@aedobuild.com. We respond within 24 business hours and acknowledge valid reports within 5 days.
Our policy follows RFC 9116 — see /.well-known/security.txt.
DDoS & abuse protection
We run behind Cloudflare with bot filtering, WAF managed rules, and rate limiting on sensitive endpoints (auth, signup). Vercel's infrastructure absorbs additional load.
Working on a security questionnaire? Email security@aedobuild.com and we'll fill it out within 3 business days.