BrokerFoldBrokerFold
Start free

Security

Your data is yours, and we treat it that way.

This page is the practical version of what's in our privacy policy. No marketing, no certifications-theatre. Just a clear explanation of what we protect, how we protect it, and what we'd do if something went wrong.

Encryption + data handling

In transit, at rest, and in memory.

TLS 1.3 everywhere

All traffic — customer-facing sites, admin panels, APIs, webhooks — is served over TLS 1.3 with HSTS preload. Certificates renew automatically through Cloudflare, rotated every 90 days.

AES-256 at rest

Postgres is encrypted at rest on managed Supabase infrastructure. R2 object storage (listing images, media uploads) uses server-side AES-256. Backups inherit the same encryption.

Secrets stay out of code

API keys, DB credentials, and service tokens live in Vercel's encrypted env storage. Nothing sensitive is ever written to logs, error payloads, or Git history.

Password hashing

User passwords are hashed with scrypt (Supabase Auth defaults). We never see a plaintext password — not in logs, not in support tickets, not in backups.

Data residency

Your data stays in Canada.

Because Canadian MLS boards require it, because your buyers' PIPEDA rights require it, and because it's the right default.

Primary database
Supabase Postgres in the us-east-1 region by default. Canadian residency (ca-central-1) is available on Team+ plans at no extra cost — just ask during onboarding.
Object storage
Cloudflare R2 with Canadian edge caching. Listing photos mirrored from MLS boards are held only as long as the listing is active.
AI processing
AI inference runs on Anthropic and OpenAI infrastructure. We configure both to the no-training option — your leads, messages, and listings are never used to train any model.
Email
Transactional email via Resend, sent from mail.brokerfold.com so our reputation is isolated from your own Workspace domain.

Authentication

Least-privilege by default.

  • Multi-factor auth

    TOTP-based MFA for every BrokerFold account. WebAuthn / passkeys available. Required on Team+ plans; optional but strongly encouraged on solo plans.

  • Session hygiene

    Sessions expire after 30 days of inactivity; JWTs rotate on every refresh. You can view and revoke active sessions from your account settings.

  • Role-based access

    Team and Brokerage plans get granular roles — owner, admin, agent, assistant — each with scoped permissions on contacts, listings, billing, and settings.

  • SSO (SAML / OIDC)

    Available on Brokerage plans. Bring your own IdP — Okta, Entra, Google Workspace, or any SAML 2.0 provider.

Resilience

When something goes wrong — and it will — we plan for it.

Continuous backups

Point-in-time recovery on Postgres with a 7-day window on Starter and 30 days on Team+. We test restores quarterly; our RPO target is 1 minute, RTO target is 1 hour.

Uptime

99.95% target on the tenant edge, measured on a quarterly rolling window. Status dashboard coming soon (Q2 2026) with public incident history.

Incident response

Any incident affecting customer data, availability, or integrity triggers a written post-mortem within 5 business days. Published publicly on the status page once our customers have been notified.

Responsible disclosure

Found something? Tell us — we'll thank you for it.

If you've identified a vulnerability in BrokerFold, please email support@brokerfold.com with as much detail as you can share — repro steps, affected endpoints, a proof of concept if safe. We'll acknowledge within one business day and work the issue with you until it's resolved.

  • We don't threaten legal action against good-faith researchers.
  • We credit reporters publicly (if you want) in the incident post-mortem.
  • We don't run a bug bounty today, but we send real thank-you notes — and our most serious reports get a meaningful reward.

Compliance posture

Honest about where we are.

We're building toward the certifications that matter for Canadian real estate. Here's the plain truth about today and the next 18 months.

Today

PIPEDA + CASL aligned

BrokerFold is built to meet PIPEDA obligations for personal information and CASL rules for electronic communications. A full privacy statement is in the privacy policy.

Today

MLS data handling

We honour the data-use terms of every board we connect to — no public IDX scraping, no data resale, no retention past listing expiry.

In progress (2026)

SOC 2 Type I

Controls are being implemented now; we target a Type I audit late 2026. Type II to follow once we have a year of evidence.

Planned (2027)

ISO 27001

Scoped as the next certification after SOC 2 Type II. Not a near-term commitment, but on the radar for enterprise brokerage customers.

Questions we haven't answered here?

Security reviews, vendor questionnaires, DPA requests — send them our way and we'll turn them around within a week.

support@brokerfold.com →