Security & trust

Security you can hand to your IT team

You're trusting PropFlow with residents' details, lease documents and rent. Here's exactly how we keep it isolated, encrypted, and in your control - in plain language, no marketing spin.

Per-organization isolation

Your data is walled off from every other company. Each request is scoped to your organization at the database layer - not just hidden in the interface - so one company can never read another's residents, leases or payments.

Encrypted in transit and at rest

Traffic runs over TLS. Your data sits in an encrypted database, and sensitive credentials like accounting connections are encrypted with a separate key on top of that.

Role-based access

People see only what their role allows. Owners, managers, staff and field workers each get a scoped view, and financial and leasing data stay behind the right permissions.

Trusted devices

See every device signed in to your account and where it was last active - and sign any of them out instantly from your Device Center.

Audit logging

Sensitive administrative actions are recorded, so account activity can be reviewed after the fact - who did what, and when.

PCI-compliant payments

Card numbers never touch our servers. Payments run through Stripe (a PCI Level 1 provider); we only ever keep the last four digits for your reference.

Abuse protection

Sign-in, password-reset and contact endpoints are rate-limited to blunt brute-force and spam, and one-time links expire and can't be reused.

Hardened by default

Modern browser protections are on out of the box: strict transport security, a content-security-policy, secure cookies and cross-site-request protection.

Daily backups

Your database is backed up automatically every day by our managed hosting provider, so data can be restored if the worst happens.

How rent stays safe

Rent is collected through Stripe with funds paid out to your own connected bank account. Because card and bank details are handled entirely by Stripe and never stored on our systems, PropFlow stays within the simplest PCI scope (SAQ-A). Every payment is recorded against the lease with a full history you can audit.

On the way

What we're adding next

We'd rather tell you what isn't built yet than imply it is. These are in progress.

Coming soon

Two-factor authentication

An extra step at sign-in for admins.

Coming soon

Passkeys & biometric sign-in

Sign in with Face ID / Touch ID.

Coming soon

Self-serve data export & deletion

Download or remove your data on request.

Coming soon

SOC 2

Independent security attestation.

Have a security question?

Send it over - we'll answer specifics for your team, and share what's on our roadmap.