Security & Trust

Your tenant data is
safe with Abode

We handle sensitive personal data — Aadhaar numbers, addresses, financial records. Security is not a feature we added later. It's built into every architectural decision.

Row-Level SecurityAES-256 EncryptionHSTS + CSP HeadersSOC 2 Infrastructure

Data Isolation (Row-Level Security)

Every organization's data is completely isolated using PostgreSQL Row-Level Security (RLS). When your account queries the database, Supabase automatically filters results so you can only ever see records belonging to your organization. Even if a bug exists in our application code, the database itself enforces that no data can leak between accounts.

  • RLS enabled on every table: organizations, tenants, rooms, rent records, documents, expenses, and more
  • get_my_org_id() helper function resolves org scope from the authenticated session
  • Service-role client (admin) used only on the server, never exposed to the browser
  • Super admin role subject to same RLS rules — bypasses only via explicit policy conditions

Aadhaar & Sensitive Data

Aadhaar numbers are among the most sensitive pieces of personal data in India. Abode follows a strict minimal-exposure approach: only the last 4 digits of Aadhaar are displayed in the UI. The full number, when stored, is encrypted at rest using AES-256 encryption before being written to the database.

  • Last 4 digits only shown in all UI views — full number never rendered in the browser
  • Full Aadhaar (when collected) encrypted with AES-256 before database insert
  • Encrypted column never included in API responses
  • Document uploads (Aadhaar photos) stored in private, org-scoped storage buckets

Authentication & Sessions

Abode uses Supabase Auth, built on top of Postgres and GoTrue. Sessions are managed via httpOnly cookies — your access token is never accessible to JavaScript, preventing XSS-based token theft. Passwords are hashed with bcrypt before storage.

  • httpOnly session cookies — token inaccessible to client-side JavaScript
  • Passwords hashed with bcrypt (never stored in plain text)
  • Email verification on registration
  • Password reset via secure time-limited email token
  • Session expiration and automatic refresh handling

API Security & Rate Limiting

Every API route in Abode verifies the authenticated session before processing any request. All write operations validate input using strict Zod schemas — invalid data types, out-of-range values, and malformed inputs are rejected before touching the database.

  • Auth verification on every API route — 401 on any unauthenticated request
  • Zod schema validation on all write operations — prevents injection of malformed data
  • Rate limiting on auth endpoints (5 attempts per minute per IP)
  • Org ownership checked before every cross-org operation
  • Input length limits on all text fields

Transport & HTTP Security

All communication between your browser and Abode servers is encrypted via HTTPS/TLS 1.3. We enforce strict security headers on every response to prevent common web attacks including clickjacking, MIME sniffing, and cross-site scripting.

  • HTTPS-only with HTTP Strict Transport Security (HSTS, 2-year max-age)
  • Content Security Policy (CSP) restricts script, style, and frame sources
  • X-Frame-Options: SAMEORIGIN — prevents clickjacking
  • X-Content-Type-Options: nosniff — prevents MIME type confusion
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy disables camera, microphone, and geolocation APIs

Audit Logging

Every significant action in Abode is logged to an immutable audit trail. Tenant creation, rent payments, document uploads, plan changes — all recorded with actor, timestamp, IP address, and entity reference. Audit logs are retained and queryable by super admins.

  • All write operations emit an audit event: tenant.created, rent.marked_paid, expense.created, etc.
  • Actor ID, IP address, user agent, and timestamp stored per event
  • Audit table has insert-only RLS — events cannot be updated or deleted by users
  • Super admin dashboard shows platform-wide audit stream

Infrastructure

Abode is hosted on enterprise-grade cloud infrastructure via Supabase and Vercel. Both providers maintain SOC 2 Type II compliance and operate globally redundant data centers. Your data is backed up daily with point-in-time recovery capability.

  • Supabase: SOC 2 Type II certified, data hosted in Mumbai region (ap-south-1) when available
  • Vercel edge network: DDoS protection and global CDN
  • Daily automated database backups with point-in-time recovery
  • Zero-downtime deployments — no maintenance windows
  • 99.9%+ uptime SLA on Supabase Pro infrastructure

File Storage Security

Tenant documents — Aadhaar cards, agreements, photos — are stored in private Supabase Storage buckets. Paths are structured as {org_id}/{tenant_id}/{filename}, and RLS policies verify that only authenticated users belonging to the correct organization can read, upload, or delete files.

  • Private bucket — no public URLs, no direct web access
  • Org-scoped path structure enforced at upload
  • Storage RLS verifies org_id in file path matches authenticated user's org
  • Signed URLs generated server-side with short expiration for document preview
  • File type and size validation before upload

Responsible Disclosure

If you discover a security vulnerability in Abode, we ask that you disclose it responsibly. Please do not exploit or publicize any vulnerability before we have had a chance to address it.

Report security issues to: security@abode.in — we aim to acknowledge all reports within 48 hours.

Questions about our security practices?

We're happy to share more details for enterprise due diligence reviews.

Contact our security team Start free trial