Security & Trust

Propvora is operated by Blackwellen Ltd, a company registered in England and Wales (Company No. 16482166), with its registered office at 61 Bridge Street, Kington, England, HR5 3DJ, and registered with the Information Commissioner’s Office under registration number ZC160806. We are committed to protecting the confidentiality, integrity, and availability of the data entrusted to us.

As a data processor for our business customers, we are required under Article 32 of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 to implement “appropriate technical and organisational measures” to ensure a level of security appropriate to the risk. The measures described in this statement are designed to meet that standard, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the processing, as well as the risk to the rights and freedoms of the individuals whose data we handle.

This statement covers the production Propvora platform — the web application, supporting application programming interfaces, databases, file storage, and the third-party infrastructure providers we rely upon to deliver the Service. It applies to all workspaces and to the personal data of tenants, landlords, suppliers, and professional contacts that customers choose to store within their workspace.

Propvora is built on reputable, independently certified cloud infrastructure providers. We do not operate our own physical data centres; instead, we rely on established providers whose facilities maintain recognised industry certifications (such as ISO 27001 and SOC 2) and robust physical, environmental, and network security controls.

• Database, authentication, and primary storage: Hosted by Supabase on Amazon Web Services infrastructure located in the EU (Frankfurt, Germany), providing EU data residency for the core application database.
• Object and file storage: Documents, images, and uploaded evidence are stored using Cloudflare R2 object storage, configured for EU data residency where supported.
• Application compute and delivery: The Propvora web application and serverless functions run on Vercel’s platform, with content delivery and edge security provided by Cloudflare.

A complete and current list of the third-party providers that process personal data on our behalf, together with their purpose, location, and applicable data transfer mechanism, is maintained on our Subprocessors page.

We protect data both while it travels across networks and while it is stored at rest:

• Encryption in transit: All connections to the Propvora platform are secured using Transport Layer Security (TLS) version 1.2 or higher. Plain-text connections are not accepted, and traffic between our application and our infrastructure providers is likewise encrypted.
• Encryption at rest: Personal data held in our databases and object storage is encrypted at rest using the Advanced Encryption Standard with 256-bit keys (AES-256), managed by our infrastructure providers.

Encryption keys are managed by our infrastructure providers under their own certified key-management practices and are not exposed to application code or to end users.

Access to systems and data is governed by the principle of least privilege — people and processes are granted only the access strictly necessary to perform their function, and no more.

• Role-based access control: Within each customer workspace, permissions are assigned by role, so that individual team members can only see and act on the data appropriate to their role.
• Workspace isolation: The platform enforces complete logical isolation between customer workspaces using PostgreSQL row-level security. Every query against tenant data is constrained at the database layer to the requesting user’s authorised workspace, so that no customer can access another customer’s data, even through direct application programming interface calls.
• Administrative access: Internal administrative access to production systems is restricted to a small number of authorised personnel, granted on a need-to-know basis, and is subject to confidentiality obligations.
• Multi-factor authentication: Multi-factor authentication is available to all account holders and is strongly recommended for accounts with administrative or financial permissions.

Security is built into the design of the Propvora application rather than added as an afterthought. Our application-level controls include:

• Input validation: User-supplied data is validated on both the client and the server before it is processed or stored.
• Output sanitisation: Content rendered in the interface is sanitised to defend against cross-site scripting (XSS) and related injection attacks.
• Mutation safety: State-changing operations are protected against cross-site request forgery (CSRF) and require an authenticated, authorised session.
• Authentication: User authentication is handled through Supabase Auth, providing secure session management, password hashing, and support for multi-factor authentication.
• Secret management: Application secrets, service-role credentials, and provider keys are held server-side only and are never exposed in client-side code or browser bundles.
• Content-Security-Policy: A Content-Security-Policy is applied to constrain the sources from which scripts, styles, and other resources may load, reducing the impact of any injection vulnerability.

The Propvora AI Copilot is designed so that artificial intelligence features enhance the Service without compromising data protection. Our AI processing is governed by the following safeguards:

• GDPR-compliant providers only: AI requests are routed exclusively to providers that offer EU or UK-appropriate data handling. This includes Azure OpenAI (EU) deployments and, where applicable, Anthropic and Google under UK Standard Contractual Clauses. We do not route customer data to providers that cannot offer adequate data protection safeguards.
• No third-party model training: Customer and tenant data submitted to AI providers in the course of providing the Service is not used to train those providers’ models. Our provider arrangements expressly exclude such use.
• Human review before action: AI-generated suggestions and drafts are presented for human review and explicit confirmation before any action with external effect is taken. The Copilot does not autonomously execute changes on a customer’s behalf without that confirmation.
• Scoped grounding: AI features operate only on data the requesting user is already permitted to access, within the boundaries enforced by row-level security; they cannot be used to reach data outside the user’s authorised workspace.

We maintain visibility over the operation and security of the platform so that we can detect, investigate, and respond to issues promptly:

• Audit logging: Access to and modification of workspace data is recorded in audit logs, providing an account of who did what and when within a workspace.
• Error monitoring: Application errors are captured through Sentry error monitoring, configured to operate within the EU region, enabling us to identify and resolve faults that could affect availability or integrity.
• Rate limiting and abuse protection: Sensitive and public-facing endpoints are protected by rate limiting and abuse-detection controls to mitigate automated attacks, credential stuffing, and denial-of-service attempts.

To protect against data loss and to support recovery from disruption, we maintain the following resilience measures:

• Automated backups: The production database is backed up automatically on a daily basis.
• Retention: Backups are retained for a rolling period of 30 days, allowing recovery to a recent point in time.
• Disaster recovery: We maintain disaster recovery procedures designed to restore service and data following a significant infrastructure failure, drawing on the redundancy and high-availability features of our underlying providers.

We take a proactive approach to identifying and remediating security weaknesses, including keeping software dependencies up to date, applying security patches in a timely manner, and conducting security reviews of new and changed functionality.

We welcome reports from the security research community. If you believe you have discovered a security vulnerability in Propvora, please report it to us at security@propvora.com with sufficient detail for us to reproduce and assess the issue. We ask that you give us a reasonable opportunity to investigate and remediate before any public disclosure, and that you avoid accessing, modifying, or deleting data that does not belong to you, and avoid any action that could degrade the Service for other users.

Safe harbour: We will not pursue or support legal action against security researchers who, acting in good faith, identify and report vulnerabilities to us in accordance with this coordinated disclosure approach and who do not exploit a vulnerability beyond the minimum necessary to demonstrate it.

We maintain a documented incident response procedure to govern our handling of suspected and confirmed personal data breaches. In the event of an incident affecting personal data, we will:

• Assess: Promptly assess the nature, scope, and likely consequences of the incident, including the categories and approximate number of data subjects and records affected.
• Contain: Take immediate steps to contain the incident, mitigate its effects, and prevent recurrence.
• Notify customers: Notify affected business customers (acting as data controllers) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, providing the information they need to meet their own obligations.
• Support regulatory reporting: Assist and cooperate with our customers in any notification they are required to make to the Information Commissioner’s Office (ICO) and to affected individuals, while ensuring we meet our own responsibilities under the UK GDPR.

As a processor, we notify the controller; the controller remains responsible for determining whether and how to notify the ICO and affected data subjects, save where Propvora is acting as a controller in its own right.

We engage a limited number of trusted third-party providers (sub-processors) to help us deliver the Service. The current list of sub-processors, with their purpose, location, and applicable safeguards, is published on our Subprocessors page. The contractual terms governing our processing of customer data, including our processor obligations, are set out in our Data Processing Agreement.

Where personal data is transferred to a country outside the United Kingdom or the European Economic Area, we rely on lawful transfer mechanisms — including the UK Standard Contractual Clauses (SCCs) and the International Data Transfer Agreement (IDTA) approved by the ICO — together with any additional safeguards required to ensure that the transferred data continues to enjoy an essentially equivalent level of protection.

Security is a shared responsibility. While we protect the platform and the infrastructure beneath it, the security of your workspace also depends on the practices of your team. We ask that you:

• Choose strong, unique passwords and never reuse them across services.
• Enable multi-factor authentication on all accounts, and require it for users with administrative or financial permissions.
• Carefully manage team access — grant the minimum role necessary, review membership regularly, and promptly remove access for people who leave your organisation.
• Keep your devices, browsers, and operating systems up to date and protected.
• Report any suspicious activity, suspected account compromise, or potential security concern to us promptly using the contacts below.

To report a security concern, suspected vulnerability, or potential abuse, please contact our security team at security@propvora.com. For general support, you can reach us at support@propvora.com. For legal enquiries, please write to legal@propvora.com.