Security & trust
Security you can hand to your IT team
You're trusting PropFlow with residents' details, lease documents and rent. Here's exactly how we keep it isolated, encrypted, and in your control - in plain language, no marketing spin.
Per-organization isolation
Your data is walled off from every other company. Each request is scoped to your organization at the database layer - not just hidden in the interface - so one company can never read another's residents, leases or payments.
Encrypted in transit and at rest
Traffic runs over TLS. Your data sits in an encrypted database, and sensitive credentials like accounting connections are encrypted with a separate key on top of that.
Role-based access
People see only what their role allows. Owners, managers, staff and field workers each get a scoped view, and financial and leasing data stay behind the right permissions.
Trusted devices
See every device signed in to your account and where it was last active - and sign any of them out instantly from your Device Center.
Audit logging
Sensitive administrative actions are recorded, so account activity can be reviewed after the fact - who did what, and when.
PCI-compliant payments
Card numbers never touch our servers. Payments run through Stripe (a PCI Level 1 provider); we only ever keep the last four digits for your reference.
Abuse protection
Sign-in, password-reset and contact endpoints are rate-limited to blunt brute-force and spam, and one-time links expire and can't be reused.
Hardened by default
Modern browser protections are on out of the box: strict transport security, a content-security-policy, secure cookies and cross-site-request protection.
Daily backups
Your database is backed up automatically every day by our managed hosting provider, so data can be restored if the worst happens.
How rent stays safe
Rent is collected through Stripe with funds paid out to your own connected bank account. Because card and bank details are handled entirely by Stripe and never stored on our systems, PropFlow stays within the simplest PCI scope (SAQ-A). Every payment is recorded against the lease with a full history you can audit.
On the way
What we're adding next
We'd rather tell you what isn't built yet than imply it is. These are in progress.
Two-factor authentication
An extra step at sign-in for admins.
Passkeys & biometric sign-in
Sign in with Face ID / Touch ID.
Self-serve data export & deletion
Download or remove your data on request.
SOC 2
Independent security attestation.
Have a security question?
Send it over - we'll answer specifics for your team, and share what's on our roadmap.