Security Practices
We take the security of your financial data seriously. Here's how we protect your information at every level.
Encryption in Transit
All data transmitted between your browser and our servers is encrypted using 256-bit SSL/TLS. We enforce HTTPS on all connections and use HSTS headers to prevent downgrade attacks.
Encryption at Rest
All stored data — including invoices, proposals, client information, and financial records — is encrypted at rest using AES-256 encryption in our Supabase-hosted PostgreSQL database.
Row-Level Security
We use Supabase Row-Level Security (RLS) policies to ensure every database query is scoped to the authenticated user. Your data is isolated at the database level — no user can access another user's records, even in the event of an application-level vulnerability.
Payment Security
Propcraft never stores credit card numbers, CVVs, or sensitive payment card data. All payment processing is handled by PCI DSS-compliant processors: Razorpay (for Indian payments including UPI, cards, and netbanking) and Dodo Payments (for international card payments). Card data never touches our servers.
Access Controls
Authentication is handled via Supabase Auth with secure session management. We support email/password authentication with bcrypt hashing. All API routes verify authentication tokens before processing requests.
Secure Communications
Transactional emails (invoice delivery, payment notifications) are sent via Resend with DKIM and SPF authentication. We never send sensitive financial data in email bodies — clients access invoices through secure, authenticated portal links.
Infrastructure
Propcraft is hosted on Render with automated deployments, health checks, and zero-downtime deploys. Our database is hosted on Supabase with automated daily backups, point-in-time recovery, and geographic redundancy. All infrastructure providers maintain SOC 2 Type II compliance.
Data Isolation
Every API request is authenticated and authorized. Database queries use parameterized statements to prevent SQL injection. File uploads are validated for type and size before processing. Cross-site scripting (XSS) and cross-site request forgery (CSRF) protections are implemented at the application level.
Incident Response
In the event of a security incident, we will notify affected users within 72 hours of discovery, provide details of the incident and affected data, take immediate steps to contain and remediate the issue, and conduct a post-incident review to prevent recurrence.
Responsible Disclosure
If you discover a security vulnerability in Propcraft, please report it responsibly. Do not exploit the vulnerability or access data beyond what is necessary to demonstrate the issue.
Report vulnerabilities to: security@propcraft.app
We aim to acknowledge reports within 48 hours and provide a fix timeline within 5 business days.