Security & Vulnerability Disclosure

Effective: May 28, 2026 · Last updated: May 28, 2026

Pre-launch template. Don't commit to specific bounty amounts, certifications (SOC 2, ISO 27001), or response SLAs unless you can deliver them. Drop fields you don't yet support.

Security is foundational to a property management platform. This page summarizes how we protect data and how to report a vulnerability.

1. How we protect data

We employ the following technical and organizational measures:

2. Reporting a vulnerability

If you believe you have found a security vulnerability in the Service, please report it to us so we can investigate and fix it. We welcome reports from researchers, customers, and members of the public.

2.1 How to report

2.2 What to expect from us

2.3 Safe harbor — what we ask in return

If you act in good faith to find and report vulnerabilities, we will not pursue legal action against you for:

Please do not:

3. Out of scope

The following are generally not considered vulnerabilities by themselves:

4. Incident notification

If a security incident affects your account or data, we will notify you and the relevant regulator in accordance with applicable law and our Data Processing Addendum. Notification will describe what happened, what data was affected, what we are doing, and what (if anything) you should do.

Specific timelines we follow:

JurisdictionTriggerNotification target
Canada — PIPEDA"Real risk of significant harm" to an individualPrivacy Commissioner of Canada and affected individuals "as soon as feasible"; record kept for 24 months
Canada — Quebec Law 25Confidentiality incident likely to cause serious injuryCommission d'accès à l'information and affected individuals "with diligence"; register of incidents maintained
Jamaica DPA 2020Personal Data Breach likely to result in risk to data subject rightsOffice of the Information Commissioner without undue delay, and where feasible within 72 hours; affected data subjects without undue delay
EU/UK GDPRPersonal Data BreachSupervisory authority within 72 hours; data subjects where high risk

5. Contact

Security: security@koda.properties
PGP key: [Publish a PGP key fingerprint here if you want to receive encrypted reports.]