Security & Vulnerability Disclosure
Effective: May 28, 2026 · Last updated: May 28, 2026
Security is foundational to a property management platform. This page summarizes how we protect data and how to report a vulnerability.
1. How we protect data
We employ the following technical and organizational measures:
- Transport encryption. All traffic to and from the Service is encrypted with TLS 1.2 or higher.
- Password storage. Passwords are stored only as bcrypt hashes with a work factor of 12. Plaintext passwords are never logged or stored.
- Tenant isolation. Every record in the system is scoped to its owning organization. Access to cross-tenant data is prevented at the application layer with explicit ownership checks on every mutate endpoint.
- Immutable audit log. Significant actions (create, update, delete on sensitive resources) are recorded in an append-only audit log retained for at least 7 years.
- Authentication hardening. Rate limiting on sign-in, password reset, and verification code endpoints. Verification codes expire after 15 minutes and are single-use.
- CSRF protection on authentication, password reset, payment, and administrative routes.
- Access controls. Production database access is restricted on a need-to-know basis.
- Secrets management. Credentials and API keys are stored in environment files outside the web root; web servers are configured to refuse direct access.
- Backups. Database backups are rotated regularly and stored encrypted.
- Sub-processor due diligence. Sub-processors (Stripe, Gmail, etc.) are selected based on their published security postures and applicable contractual data-processing terms.
2. Reporting a vulnerability
If you believe you have found a security vulnerability in the Service, please report it to us so we can investigate and fix it. We welcome reports from researchers, customers, and members of the public.
2.1 How to report
- Email security@koda.properties.
- Include a clear description of the issue, steps to reproduce, and the potential impact.
- If proof-of-concept code or screenshots help, please attach them.
- If the issue exposes data, please describe what data is exposed but do not attach the data itself.
2.2 What to expect from us
- We will acknowledge your report within 3 business days.
- We will keep you updated as we investigate and resolve the issue.
- If the report is valid, we will credit you (with your permission) once a fix is deployed.
- We don't currently operate a paid bounty program, but we genuinely appreciate responsible disclosure.
2.3 Safe harbor — what we ask in return
If you act in good faith to find and report vulnerabilities, we will not pursue legal action against you for:
- Testing limited to your own accounts and data.
- Using non-destructive techniques to discover and validate issues.
- Avoiding access to data belonging to other customers.
- Stopping testing as soon as you have evidence of an issue and reporting it to us.
Please do not:
- Access, modify, or delete data belonging to other customers.
- Perform denial-of-service or volume-based attacks.
- Phish, social-engineer, or physically attack our team or facilities.
- Publicly disclose the vulnerability before we have had a reasonable opportunity to fix it (typically 90 days, or sooner if we agree).
3. Out of scope
The following are generally not considered vulnerabilities by themselves:
- Missing security headers that do not lead to a demonstrable exploit.
- Self-XSS, clickjacking on pages without sensitive actions, missing rate limits on non-auth endpoints.
- Issues that require physical access to a user's device.
- Public information disclosure that is not personal data.
- Reports from automated scanners without proof of exploitability.
4. Incident notification
If a security incident affects your account or data, we will notify you and the relevant regulator in accordance with applicable law and our Data Processing Addendum. Notification will describe what happened, what data was affected, what we are doing, and what (if anything) you should do.
Specific timelines we follow:
| Jurisdiction | Trigger | Notification target |
|---|---|---|
| Canada — PIPEDA | "Real risk of significant harm" to an individual | Privacy Commissioner of Canada and affected individuals "as soon as feasible"; record kept for 24 months |
| Canada — Quebec Law 25 | Confidentiality incident likely to cause serious injury | Commission d'accès à l'information and affected individuals "with diligence"; register of incidents maintained |
| Jamaica DPA 2020 | Personal Data Breach likely to result in risk to data subject rights | Office of the Information Commissioner without undue delay, and where feasible within 72 hours; affected data subjects without undue delay |
| EU/UK GDPR | Personal Data Breach | Supervisory authority within 72 hours; data subjects where high risk |
5. Contact
Security: security@koda.properties
PGP key: [Publish a PGP key fingerprint here if you want to receive encrypted reports.]