Your data,
protected.
We handle sensitive compliance data for NYC property portfolios. That means we build the product around security first — not as an afterthought.
Infrastructure
Reputable cloud providers
BoroBeacon is built on top of SOC 2 Type II–audited infrastructure, database, and email-delivery providers. We pick vendors we would trust with our own business and we change them if they stop meeting our bar.
US-based data residency
Customer data is stored in the US East region. All traffic between your browser, our app, and our database travels over TLS 1.2+.
Automated backups
Our database provider takes nightly encrypted backups with a point-in-time recovery window. Backups are tested quarterly.
Application security
Row-level security
Every database table uses PostgreSQL RLS policies so that agents only see buildings assigned to them, admins only see their own organization, and no request can bypass RLS unless it originates from a server function using our service-role key.
Secrets hygiene
Secrets live only in the hosting provider environment. No secrets in git. We rotate on every suspected leak and on every offboarding of a team member with production access.
Strict access controls
Admin access to production systems is limited to named individuals with two-factor authentication. Access is reviewed quarterly and revoked immediately on role change.
Dependency scanning
We use GitHub Dependabot and npm audit to catch vulnerable dependencies before they ship, and we apply security patches within one week of disclosure.
Security headers
Every BoroBeacon response emits X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and HSTS. Authentication cookies set by Supabase Auth are Secure and HttpOnly with SameSite=Lax.
Authentication
Password hashing
Passwords are hashed by our authentication provider using bcrypt. We never store or transmit plaintext passwords.
Session management
Sessions are short-lived JWTs with automatic refresh. Changing your password invalidates all other sessions. Password reset requires email verification.
Step-up re-authentication
Password changes from inside the app require re-entering your current password, even if your session is valid. Session theft cannot silently pivot to account takeover.
Data handling
Least-privilege AI processing
When AI summarization runs, the prompt contains only the specific violation or complaint fields needed to generate the summary (agency, violation number, class, description, location). No account credentials, organization-wide data, or full building portfolio leaves the server. Inbound-email parsing additionally narrows address-matching candidates locally before any prompt is built, so we send Anthropic only the small subset of buildings whose street number plausibly matches.
Email deliverability
We sign outbound email with SPF, DKIM, and DMARC. Every transactional message includes RFC 8058 List-Unsubscribe headers so recipients can opt out with one click.
Data export and deletion
You can export all of your data at any time from account settings, and you can request deletion by emailing privacy@borobeacon.com. We complete deletion within 30 days.
If something does go wrong
No system is perfectly secure. What matters is how fast you find out, how fast we contain it, and how honest we are with you afterward. Here is exactly what happens if we detect a security incident.
Detect
We monitor application errors, authentication failures, and unusual database activity. Critical alerts page on-call within minutes.
Contain
On detection we cut off attacker access (revoke keys, block IPs, disable affected accounts) before investigating.
Investigate
We reconstruct exactly what was accessed, by whom, and from where. Logs are preserved for forensic review.
Notify
Affected customers are notified within 72 hours of confirmation, even if the investigation is ongoing. Regulatory notifications follow on their required timelines.
Post-mortem
Within 7 days we publish a written post-mortem describing what happened, root cause, remediation, and what we changed to prevent recurrence.
Found a vulnerability?
Please email security@borobeacon.com with details. Include steps to reproduce, the impact, and any proof-of-concept code. We ask that you:
- Give us a reasonable window (at least 90 days) before public disclosure.
- Do not access or modify customer data beyond what is strictly needed to prove the issue.
- Do not perform denial-of-service or social-engineering attacks.
- Do not publicly disclose the issue before we have had a chance to fix it.
In return, we will respond within one business day, keep you updated through remediation, credit you in our acknowledgments (if you want), and never pursue legal action against researchers acting in good faith.
Certifications and agreements
BoroBeacon itself is not yet SOC 2 audited — we are a young company and have been transparent about our security posture rather than hiding behind a badge. Here is where we stand today and what is on the roadmap.
GDPR & CCPA
We honor data access, correction, and deletion requests worldwide.
DPA available
Data Processing Agreements are available on request for any plan.
SOC 2 Type I
Audit scoped; target delivery within 12 months of launch.
Questions about security?
Security and privacy inquiries go directly to our engineering team and get answered fast.