AedoBuild
Log inGet started

Built for boards that take security seriously.

Your residents trust you with their home, their money, and their personal data. We treat that with the same care a bank would. Here's exactly how.

TLS 1.3 + AES-256Two-factor requiredPCI via StripePIPEDA-alignedDaily backupsSOC 2 in progress
TLS 1.3
Encryption in transit
AES-256
Encryption at rest
2FA
Required for admins
7-day
Point-in-time recovery

Encryption everywhere

  • TLS 1.3 in transit for every page, API call, and webhook
  • AES-256 encryption at rest (managed by our database provider)
  • HSTS preload with 2-year max-age — browsers refuse insecure connections to our domain
  • Strict Content Security Policy blocks injection attacks and unauthorized scripts

Authentication you can trust

  • Passwords are hashed with bcrypt (cost factor 12) — never stored in readable form
  • 12-character minimum length, breached-password blocklist, no personal-info reuse
  • TOTP-based two-factor authentication (Google Authenticator, 1Password, Authy)
  • Two-factor REQUIRED for org admins, property managers, and accountants
  • Sessions expire after 7 days; auto-logout on token tampering
  • Account lockout after 5 failed login attempts (15-minute cooldown)
  • Step-up re-authentication required for destructive actions (delete unit, change banking)

Your data stays yours

  • Row-level multi-tenancy: every query is scoped to your organization at the database level
  • Other buildings physically cannot see your residents, payments, documents, or tickets
  • Granular role permissions: board members, property managers, accountants, residents, and vendors each see only what they need
  • Per-organization audit log of every important action (who, what, when, from where)
  • Data export and deletion on request (PIPEDA Section 4.9)

Backups and recovery

  • Daily automated database backups (managed by Neon)
  • 7-day point-in-time recovery — we can roll back to any second in the last week
  • 30-day backup retention on Enterprise plan
  • Quarterly disaster-recovery drills

Defense in depth

  • Cloudflare DDoS protection in front of every request
  • Brute-force rate limiting on login, signup, password reset, and contact form
  • Real-time error monitoring via Sentry (alerts within 60 seconds of an issue)
  • File uploads are validated by magic-byte signature — no disguised executables
  • All user-generated HTML output is escaped by default (React's automatic XSS protection)
  • SQL injection impossible — every query uses parameterized statements (Prisma ORM)
  • Bug bounty program for security researchers

Payments handled by Stripe

  • We never see, store, or process card numbers — Stripe handles all PAN data
  • PCI DSS Level 1 compliant via Stripe's certification (the highest tier)
  • Stripe Connect: residents' dues flow directly to your building's bank account
  • We never touch your money — we only facilitate the transaction
  • Webhook signatures verified on every Stripe event

Compliance posture

  • PIPEDA-aligned data handling (Canadian Personal Information Protection and Electronic Documents Act)
  • SOC 2 Type II preparation in progress (target: 12 months from launch)
  • Annual third-party penetration test
  • Privacy officer designated; breach notification within 72 hours per PIPEDA
  • Standard data processing addendum (DPA) available for enterprise customers

Where your data lives

  • Hosted on AWS us-east-1 (Virginia), via Vercel and Neon
  • Canadian data residency available on Enterprise plan (AWS ca-central-1, Montreal)
  • No data is ever sent to third parties for AI training or analytics
  • Subprocessors disclosed publicly (Stripe, Resend, Twilio, Anthropic, Sentry, Cloudflare, Vercel, Neon)

People & process

  • All employees background-checked before access to production
  • Two-factor authentication mandatory for all team accounts
  • Production access is read-only by default and audited on every elevation
  • Quarterly security training and phishing simulations
  • Incident response runbook tested monthly

Found a vulnerability?

Email security@aedobuild.com or check our bug bounty page. We acknowledge reports within one business day.

Questions from your board?

Email sales@aedobuild.com. We answer security questionnaires (SIG, CAIQ, custom) and can sign a DPA for enterprise customers.