Early accessFounding-member access. 3 months free when we open the doors this summer.Claim your spot →

Security & trust

We handle your data like the law already required us to.

Landlords hand us tenant SSNs, bank accounts, signed leases, and rent payments. Tenants trust landlords to keep that data locked down. Here's exactly what we do, what our vendors do, and what we're working toward — no marketing, no buzzwords.

Encrypted in transit and at rest

TLS 1.2+ on every request. AES-256 at rest via Supabase-managed Postgres on AWS. No data is stored unencrypted, ever.

Row-level isolation between workspaces

Postgres Row Level Security (RLS) gates every query. A landlord can never read another landlord's data, even through a misbehaving client.

Least-privilege access for our team

Production database access is scoped to Femi (founder) via Supabase's IAM. No shared passwords. Every access is audit-logged.

Honest about where we are

Pre-launch, boot-strapped. SOC 2 Type I is on the roadmap, not on the wall. We tell you what's in place today — not what we'd like you to believe.

Infrastructure

We don't roll our own crypto, auth, or payment processing. We pick vendors that are already audited to SOC 2 Type II — so the data your tenants give us lands on infrastructure that's been independently vetted.

Vendor	Role	Compliance
Supabase	Postgres database, authentication, file storage	SOC 2 Type II, HIPAA-eligible infrastructure (AWS)
Vercel	Application hosting, edge CDN, TLS termination	SOC 2 Type II, ISO 27001
Stripe	Payment processing, rent collection, subscriptions	PCI DSS Level 1, SOC 1 + SOC 2 Type II
Cloudflare	DNS, DDoS protection, bot mitigation (Turnstile)	SOC 2 Type II, ISO 27001
Resend	Transactional email (receipts, notices, auth)	SOC 2 Type II, SPF + DKIM + DMARC configured
Telnyx	SMS notifications and two-factor codes	SOC 2 Type II, HIPAA-eligible
Certn + Plaid	Tenant screening (credit, background) + bank verification	SOC 2 Type II, Gramm-Leach-Bliley compliant

How your data is protected

The specifics, in plain English.

Encryption in transit: All traffic to domivy.app is forced to HTTPS (TLS 1.2 minimum). HSTS is enabled on the root domain. No plain-text data ever leaves your browser.
Encryption at rest: Your data lives in Supabase-managed Postgres on AWS. Storage volumes are encrypted with AES-256. Backups are encrypted with the same keys. Key management is handled by AWS KMS.
Tenant SSNs and banking data: Tenant screening and rent-payout data never land in our database. SSNs go directly from the tenant's browser to Certn (screening) over TLS. Bank accounts go directly to Plaid, then Stripe. We receive and store a reference token, never the full number.
Workspace isolation: Every row in our database carries a workspace ID. Postgres Row Level Security policies enforce that queries only return rows matching the authenticated user's workspace. Even a misconfigured API route can't leak another landlord's data.
Backups: Supabase performs daily automated backups with 7-day point-in-time recovery on paid tiers. We test backup restoration quarterly once we hit 100 active workspaces.
Data residency: Primary database and file storage are in AWS us-east-1 (Virginia). We do not replicate customer data outside the United States.
Data deletion: When you close your workspace, data is soft-deleted immediately and hard-deleted after 30 days. You can request earlier hard-deletion in writing to legal@domivy.app.

Access control

Who inside Domivy can see your data — and under what conditions.

Production access

Scoped to the founder (Femi) via Supabase's native IAM. Every admin query is logged in Supabase's audit log. No shared dashboards, no shared passwords.

Customer data access

Support access to your workspace requires your explicit grant inside the app (a time-boxed 'impersonation' session that you turn on and off). We can't log into your account without your action.

Multi-factor for everyone

All employee accounts on Supabase, Vercel, GitHub, and Google Workspace require hardware-backed MFA (WebAuthn or TOTP). Email-based 2FA is not accepted.

Compliance roadmap

What we're working toward, with real dates. Not aspirational — committed.

Pre-launch (Summer 2026)

Tenant-facing MFA

Tenants signing leases and making rent payments should be able to add TOTP-based MFA on their accounts. Landlord accounts get it first.

Q4 2026

SOC 2 Type I readiness audit

Independent auditor reviews our controls and policies. Gets us the artifacts procurement teams at bigger landlords ask for.

2027

SOC 2 Type II certification

Twelve-month continuous-controls audit. This is the report that unlocks enterprise deals and gives small landlords the same assurance.

2027

Bug bounty program

Public program via HackerOne or Intigriti once we're out of the earliest launch phase. Right now we accept disclosures via email (see below).

Report a vulnerability

Security researchers, thank you. Here's how to reach us.

Email security@domivy.app with:

A description of the vulnerability
Steps to reproduce (include URLs, payloads, screenshots)
The impact you believe it has
Your name / handle so we can credit you (optional)

Safe harbor

We will not pursue legal action against researchers who discover and report vulnerabilities in good faith. Don't access data beyond what's needed to demonstrate the issue, don't degrade service for other users, and give us a reasonable window to fix before public disclosure (90 days is standard).

Out of scope

Social engineering of Domivy employees or customers
Physical attacks on our office or infrastructure
DoS / DDoS (our vendors handle that — attack them if you want 😉 just kidding, don't)
Issues in third-party services that aren't under our control

For questions about this page, privacy requests, or data-subject access requests, email legal@domivy.app or see our Privacy Policy.