Data Protection Policy

1. Overview

PropVerified is committed to protecting the data of our users and the individuals whose information appears in property records. This policy outlines the technical and organizational measures we implement to safeguard data.

2. Data Classification

We classify data into the following categories:

• User Account Data: Email, name, company, hashed passwords, API keys.
• Financial Data: Subscription status, token balance, payment history. Credit card details are handled exclusively by Stripe.
• Property Data: Public records, valuations, ownership, and mortgage information sourced from third-party providers.
• Usage Data: API call logs, endpoint usage, and consumption metrics.

3. Technical Security Measures

• Encryption in Transit: All connections use TLS 1.2+ (HTTPS). API keys are transmitted only over encrypted channels.
• Encryption at Rest: Database storage uses encrypted volumes. Sensitive fields (passwords) are hashed using bcrypt.
• API Key Security: API keys are generated using cryptographically secure random generators. Keys are hashed before storage; the plaintext key is shown only once at creation.
• Authentication: JWT-based authentication with short-lived access tokens and refresh token rotation.
• Access Controls: Role-based access ensures users can only access their own company's data.

4. Infrastructure Security

• Application deployed in isolated containers with minimal attack surface.
• Database access restricted to internal network only (no public exposure).
• Regular dependency updates and vulnerability scanning.
• Redis cache secured with authentication and internal-only access.

5. Data Minimization

We collect and store only the data necessary to provide the Service. Unnecessary fields from third-party data sources are stripped before storage. Cached property data is retained for a limited period (configurable, default 30 days) and refreshed on subsequent requests.

6. Third-Party Data Providers

We integrate with the following providers, each with their own data protection practices:

• DataTree (First American): Property records and public data.
• Apify/Zillow: Property listings and market data.
• Enformion: Contact and property search data.
• ATTOM: Property, mortgage, and owner data.
• Stripe: Payment processing (PCI DSS Level 1 certified).

We share only the minimum data necessary (typically a property address) with these providers to fulfill requests.

7. Data Breach Response

In the event of a data breach:

• We will investigate and contain the incident within 24 hours.
• Affected users will be notified within 72 hours.
• Compromised API keys will be revoked immediately.
• A post-incident report will be produced with remediation steps.

8. Data Deletion & Portability

Users can request full account deletion through Settings or by contacting support. Upon deletion:

• Account data is permanently removed within 30 days.
• API usage logs are anonymized.
• Cached property reports associated with the account are purged.

9. Compliance

PropVerified operates in compliance with applicable data protection regulations including CCPA (California Consumer Privacy Act). We honor Do Not Track signals and data access requests from California residents.

10. Contact

For data protection inquiries, contact our data protection team at privacy@propverified.com.