Security Overview

The Service is hosted on Vercel and Supabase, both in US-East regions. Vercel provides edge routing and serverless function execution; Supabase provides Postgres, authentication, and object storage. Both vendors maintain independent SOC 2 Type II attestations and ISO 27001 certifications, available on request.

• In transit: all customer-facing traffic uses TLS 1.2 or later, enforced via HSTS.
• At rest: production database and object storage are encrypted at rest using AES-256.
• Secrets: credentials and API keys live in Vercel Environment Variables (encrypted at rest, decrypted only at function-invocation time) and are not stored in source control.

• Production data access is limited to named operators with individual credentials.
• Admin operations on the database use Postgres service-role keys held only in server-side environments.
• Multi-factor authentication is required on the Vercel and Supabase administrative consoles.
• The principle of least privilege governs both human and service-account access.

Visitor IP addresses are hashed with HMAC-SHA256 using a server-side secret before storage. Raw IPs are never persisted. Approximate geolocation (country, region, city) is derived from request headers at the edge.

• Input validation and parameterized queries on all database access.
• Content Security Policy and standard browser security headers.
• Row-Level Security policies on user-scoped tables.
• Automated dependency scanning via GitHub.
• Branch protection on the production deployment branch.

All payment data is collected and processed by Stripe directly. Stripe is PCI DSS Level 1 certified. REIntel does not store, transmit, or process card data — we receive only a Stripe customer identifier and subscription metadata.

• Vercel runtime logs are retained and reviewed for anomalies.
• Supabase Audit Log records administrative actions on the database.
• Confirmed security incidents trigger an internal incident-response playbook; affected customers are notified within seventy-two (72) hours per our DPA.

Supabase performs automated daily backups of the production database with seven-day point-in-time recovery on standard plans (longer retention available on request). Critical configuration is reproducible from source control.

REIntel currently relies on the SOC 2 Type II and ISO 27001 certifications of its underlying infrastructure providers (Vercel, Supabase, Stripe). An independent SOC 2 Type II audit of REIntel as a service provider is on the roadmap; enterprise customers may request the current status of that program.

Report a suspected vulnerability to dennypatterson.re@outlook.com with the subject line "Security Report." We will acknowledge within two (2) business days and work with you in good faith on a coordinated remediation timeline.