Security policy — RentersActReady

Last updated: 12 May 2026.

RentersActReady is operated by Crocker Digital Ltd. This page describes the measures we apply to keep your data safe, how to report a security issue, and what we do not promise. For business customers, the contractual technical and organisational measures are set out in Schedule 2 of our Data Processing Agreement — the DPA is the canonical source. The summary on this page is plain-English.

What we do

Encryption

• In transit. HTTPS enforced on every public endpoint. HSTS preload. TLS 1.2 minimum. Unencrypted connections are not accepted.
• At rest. Postgres volumes encrypted at rest (AES-256) by the Supabase-managed infrastructure. Storage objects encrypted at rest by the same infrastructure. Automated daily backups are encrypted with point-in-time recovery on a minimum 7-day window.

Access control

• Row-level security (RLS). Every Postgres table that stores customer data has row-level security policies. Authenticated client calls go through the user's session; service-role calls are confined to the server runtime and never reach the browser.
• Authentication. Supabase Auth with email + password. Password reset requires a signed link. Session cookies are first-party.
• Personnel. Production access is granted on the principle of least privilege and reviewed quarterly. Personnel with production access are bound by written confidentiality obligations.

Application security

• Bot challenge. Signup, login, and forgot-password are protected by Cloudflare Turnstile to stop automated sign-up floods.
• Rate limiting. Sensitive endpoints are rate-limited via Upstash Redis to deter brute-force attempts.
• Input validation. API inputs are validated server-side via schema validation (Zod).
• Security headers. Site-wide baseline includes Content-Security-Policy, Strict-Transport-Security, Referrer-Policy, X-Frame-Options, X-Content-Type-Options, and Permissions-Policy. Authenticated dashboard surfaces additionally emit noindex and no-store.
• Error monitoring. Sentry captures application errors with request bodies stripped before the report leaves the server.

Audit trail

• Append-only audit log. Security-relevant events (sign-in, data export, account deletion, admin actions) are recorded in an audit_logs table that is append-only by design — a database trigger blocks UPDATE and DELETE so a compromised admin account cannot rewrite history.
• Retention. The audit ledger is retained indefinitely. Minimum floor: the six-year limitation period under section 5 of the Limitation Act 1980. On account hard-delete the actor_id column is unlinked so the trail survives without your user reference.
• PII minimisation. PII is stripped from log entry payloads themselves — only identifiers and action metadata are retained.

Sub-processor governance

Sub-processors are listed at /legal/subprocessors/. Each holds its own SOC 2 Type II report or equivalent (Supabase, Stripe, Netlify, Sentry). International transfers are governed by the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses; the inventory of restricted transfers and mechanisms is in DPA Schedule 3 + the subprocessors page. Customers receive at least 30 days' notice of sub-processor additions or replacements.

Vulnerability management

• Dependencies are tracked and security patches applied within 30 days of vendor release for high-severity CVEs, or sooner if a vulnerability is actively exploited.
• The build pipeline runs npm audit on every CI run; failures block deploy.

Deletion and recovery

• Account deletion follows the published Data Retention and Deletion policy — soft-delete for 90 days, then hard-delete by a scheduled sweep. The window exists so you can change your mind; mail support if you need to restore.
• Storage objects under your user-id prefix are removed by the same sweep. Signed download URLs are issued with a 60-second expiry.

Reporting a security issue

Email security@rentersactready.co.uk with:

• A description of the vulnerability or issue.
• A proof-of-concept that demonstrates the impact (without exfiltrating real user data beyond what is strictly necessary).
• The environment you observed the issue in (production at https://rentersactready.co.uk, staging at https://staging--val-rentersactready.netlify.app, or a local checkout of the public source).
• Your preferred contact method for follow-up.

We commit to:

• Acknowledging your report within 2 working days.
• A first-pass triage response within 5 working days.
• Keeping you informed of progress at reasonable intervals during remediation.
• Crediting you in the remediation notes (if you wish) once the fix is published.

Scope

In-scope targets:

• Production: https://rentersactready.co.uk and https://www.rentersactready.co.uk
• Staging: https://staging--val-rentersactready.netlify.app
• API routes under /api/*
• Email links at *@rentersactready.co.uk or *@mail.rentersactready.co.uk

Out-of-scope (please do NOT test):

• Supabase, Stripe, Netlify, Resend, or Sentry infrastructure as such — report directly to those vendors.
• Social-engineering attacks against our staff or customers.
• Denial-of-service at a rate that affects other users.
• Physical security.

Safe-harbour

If you follow this policy, we will:

• Not pursue civil or criminal action against you for good-faith testing that complies with the scope and limits above.
• Work with you on coordinated disclosure — we aim to remediate within 90 days of a valid report and will agree a public disclosure timeline with you before that point.

PGP

We do not currently publish a PGP public key. If you need end-to-end encryption for a particularly sensitive report, mention this in your first email and we will arrange a secure channel (Signal, ProtonMail-to-ProtonMail, or an equivalent).

Bug-bounty programme

We do not operate a paid bug-bounty programme. We are happy to publicly acknowledge researchers who submit valid reports under this policy.

Incident response

We operate a written incident-response runbook. For confirmed personal-data breaches affecting customer data, our DPA commits us to notifying affected customers in writing within 48 hours of becoming aware, including the nature of the breach, likely consequences, mitigations taken, and a point of contact for further information. A post-incident review is conducted for every P0/P1 incident; material remediation lands in the changelog or as an in-app notice as appropriate.

Regulatory framework

RentersActReady operates under UK law. The processing of personal data is governed by the UK General Data Protection Regulation (as retained and amended), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003. Crocker Digital Ltd is registered with the Information Commissioner's Office under registration ZC128626. Sub-processor international transfers are protected by the UK International Data Transfer Agreement (ICO, 2 February 2022) or the UK Addendum to the EU Standard Contractual Clauses.

What we do not promise

• We do not guarantee that the service is free from all security vulnerabilities. Security measures are proportionate to the nature of the data we process — readiness assessments, rental-property metadata, and compliance documents for letting-agent and landlord portfolios — not classified material.
• We do not hold an ISO 27001 certification ourselves; we rely on the certifications held by our sub-processors (Supabase, Stripe, Netlify) for the underlying infrastructure.
• We do not currently offer a customer-driven on-site audit as a standard feature; the DPA describes the process if a contracted customer needs to invoke clause 10.

Contact

• Security disclosures: security@rentersactready.co.uk
• Privacy + data-protection enquiries: privacy@rentersactready.co.uk
• General support: support@rentersactready.co.uk

---

Crocker Digital Ltd, Company No. 17008789. Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. ICO registration ZC128626.