Security & Data Protection

1. Preamble and Scope

RGCO Services Inc., doing business as DoorBrief (“Company,” “we,” “us,” or “our”), has established the following Security and Data Protection Policy (“Policy”) to set forth the organizational, technical, and procedural safeguards implemented in connection with the DoorBrief platform, website, application programming interfaces, and all related services (collectively, the “Service”). This Policy is designed to govern the collection, processing, storage, transmission, and disposal of all data submitted to, generated by, or otherwise associated with the Service, including without limitation personally identifiable information (“PII”), financial records, owner packet data, property management correspondence, and any derivative analytics produced therefrom.

This Policy shall be read in conjunction with, and is supplementary to, the DoorBrief Terms of Service and Privacy Policy. In the event of any conflict between this Policy and the aforementioned documents with respect to data security obligations, the more protective provision shall control. The Company reserves the right to amend this Policy at any time, with the most current version always available at this URL.

2. Foundational Commitment to Confidentiality

The Company maintains a strict, unequivocal commitment to the confidentiality and non-disclosure of all user data. Under no circumstances does the Company sell, rent, lease, license, sublicense, barter, or otherwise transfer, disclose, or make available any user data—whether in whole or in part, whether in raw or aggregated form—to any third party for such third party’s own commercial, marketing, advertising, analytics, or any other purposes whatsoever.

This prohibition extends to, without limitation: data brokers, advertising networks, analytics providers (except as expressly set forth herein for purposes of service functionality), marketing platforms, affiliated or unaffiliated corporate entities, governmental bodies (except where compelled by valid legal process as described in Section 11), insurance companies, credit bureaus, landlord screening services, tenant screening services, and any other natural person, legal entity, or organization not expressly authorized under this Policy.

Your data exists within the Service for one purpose and one purpose only: to provide you with the analytical and communication services you have contracted for. The Company derives no secondary revenue, benefit, or commercial advantage from your data beyond the delivery of the Service itself.

3. Artificial Intelligence Processing and Identity Protection

The Service utilizes third-party artificial intelligence (“AI”) large language models to generate narrative summaries of financial data contained within uploaded owner packets. The Company has implemented a rigorous, multi-layered anonymization and data-minimization protocol to ensure that the identity of our users, their property owners, tenants, and any other natural persons referenced in uploaded documents is protected throughout the AI processing pipeline.

3.1 Pre-Processing Data Isolation and Anonymization

Prior to transmitting any data to a third-party AI provider for narrative generation, the Company’s server-side processing engine performs the following operations:

• Financial Computation Segregation: All financial calculations, including but not limited to rent collection totals, disbursement summaries, cash flow reconciliations, month-over-month variance computations, and per-property financial breakdowns, are performed entirely on the Company’s own servers using deterministic algorithms. These verified numerical results are computed independently of the AI model and are not subject to AI inference, hallucination, or estimation. The AI model receives pre-computed, verified figures only.
• Identity Stripping: All personally identifiable information, including but not limited to property owner names, management company names, tenant names, account numbers, social security numbers, tax identification numbers, email addresses, phone numbers, and physical addresses of natural persons, is stripped, redacted, or replaced with anonymous identifiers prior to any data being transmitted to the AI provider.
• Contextual Abstraction: Information transmitted to the AI provider is limited to anonymized financial figures, property-type descriptors, and generalized transactional categories. The AI provider receives no information sufficient to identify the geographic location, ownership structure, or management affiliation of any property or portfolio.

3.2 AI Provider Data Handling Obligations

The Company contractually requires that all third-party AI providers engaged in connection with the Service: (a) process data solely in accordance with the Company’s instructions and for the exclusive purpose of generating text responses to the Company’s API requests; (b) do not retain, store, cache, log, or otherwise preserve any input data or output data beyond the duration of the individual API request-response cycle; (c) do not use any data received from the Company for the purpose of training, fine-tuning, reinforcing, or otherwise improving their AI models; and (d) maintain commercially reasonable administrative, technical, and physical safeguards consistent with industry standards for the protection of confidential information.

3.3 No AI Training on Your Data

To be unambiguous: your data is never used to train any artificial intelligence model. The AI providers we engage are bound by contractual provisions that expressly prohibit the use of data transmitted via our API for model training, improvement, or any purpose other than generating the specific response requested by the Company on your behalf. We utilize enterprise-grade API agreements that include explicit data processing addenda to this effect.

4. Encryption and Transport Security

All data transmitted between your browser or client application and the Company’s servers is encrypted in transit using Transport Layer Security (TLS) 1.2 or higher, with cipher suites conforming to current industry best practices as recommended by the National Institute of Standards and Technology (NIST). The Company enforces HTTP Strict Transport Security (HSTS) headers with a maximum age of no less than one year, including coverage of all subdomains, to prevent protocol downgrade attacks and cookie hijacking.

All user data stored at rest, including uploaded documents, extracted financial data, generated summaries, and account credentials, is encrypted using AES-256 encryption or equivalent cryptographic standards. Database storage is provided by Supabase, which maintains SOC 2 Type II compliance and encrypts all data at rest and in transit within its infrastructure.

Authentication credentials are never stored in plaintext. Password-based authentication, where applicable, employs bcrypt hashing with a minimum computational cost factor sufficient to resist brute-force attacks. OAuth-based authentication flows are implemented in accordance with the OAuth 2.0 Authorization Framework (RFC 6749) and the Proof Key for Code Exchange (PKCE) extension (RFC 7636).

5. Access Controls and Authorization

The Company implements role-based access control (RBAC) at the database level through PostgreSQL Row Level Security (RLS) policies. These policies enforce the principle of least privilege, ensuring that each authenticated user may only access, modify, or delete records that are directly associated with their own account. No user, regardless of account type or subscription tier, has the ability to access, view, or infer the existence of data belonging to any other user of the Service.

Internal access to production systems, databases, and infrastructure is restricted to authorized personnel on a strict need-to-know basis. All internal access is authenticated, logged, and subject to periodic review. The Company does not grant standing access to production data for development, testing, or demonstration purposes. All non-production environments utilize synthetic or anonymized data sets.

6. Document Storage and Retention

Uploaded owner packets and ancillary documents are stored in encrypted cloud object storage provided by Supabase Storage, with access restricted by authenticated, time-limited, per-user authorization tokens. Documents are segregated by user account at the storage level, and cross-account access is architecturally impossible under normal operating conditions.

Upon account termination or deletion, the Company will retain user data for a period not to exceed thirty (30) calendar days for the purpose of enabling account recovery in the event of accidental deletion. Following the expiration of this retention period, all user data—including uploaded documents, financial extractions, generated summaries, owner records, property records, email correspondence, and account metadata—shall be permanently and irreversibly deleted from all primary and backup storage systems. The Company does not maintain archival copies of deleted user data.

7. Payment Processing and Financial Security

All payment processing is handled exclusively by Stripe, Inc. (“Stripe”), a PCI DSS Level 1 certified payment processor. The Company does not receive, process, store, or have access to your full credit card number, CVV, or other sensitive payment card data at any point during the transaction lifecycle. Payment information is transmitted directly from your browser to Stripe’s PCI-compliant infrastructure via Stripe’s hosted checkout interface.

The Company stores only the minimum payment-related metadata necessary for subscription management, including: Stripe customer identifiers, subscription identifiers, plan type, billing cycle, and current period dates. This metadata does not include any information that could be used to initiate a payment transaction without Stripe’s independent authentication and authorization mechanisms.

8. Email Communications Security

Outbound email communications generated by the Service, including owner packet summaries and system notifications, are transmitted via Resend, a transactional email provider that employs TLS encryption for all outbound mail delivery. The Company authenticates all outbound email using DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication, Reporting & Conformance (DMARC) protocols to prevent spoofing, phishing, and unauthorized use of the DoorBrief domain.

Inbound emails forwarded to DoorBrief via the CC/BCC context forwarding feature are processed on the Company’s servers for the sole purpose of extracting contextual information relevant to the user’s property management operations. Inbound email content is not shared with any third party, is not indexed for advertising purposes, and is subject to the same encryption, access control, and retention policies applicable to all other user data.

9. Infrastructure and Hosting Security

The Service is hosted on Vercel’s edge network, which provides automated DDoS mitigation, global content delivery with edge-level caching, and zero-downtime deployments. Vercel maintains SOC 2 Type II certification and operates infrastructure on Amazon Web Services (AWS), which itself maintains comprehensive compliance certifications including SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and FedRAMP.

The Company implements the following HTTP security headers on all responses: X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Strict-Transport-Security, Referrer-Policy (strict-origin-when-cross-origin), and Permissions-Policy (restricting camera, microphone, and geolocation access). These measures collectively mitigate common web application vulnerabilities including clickjacking, MIME-type confusion, and unauthorized feature access.

10. Security Incident Response

The Company maintains a documented security incident response plan that provides for the prompt identification, containment, eradication, and recovery from security incidents. In the event of a confirmed data breach that results in the unauthorized access, acquisition, or disclosure of user data, the Company will: (a) notify affected users within seventy-two (72) hours of confirmation of the breach, via the email address associated with their account; (b) provide a description of the nature and scope of the breach, the categories of data affected, and the measures taken or proposed to be taken to address the breach; and (c) cooperate with applicable regulatory authorities as required by law.

Users who become aware of any actual or suspected security vulnerability, unauthorized access, or data breach involving the Service are encouraged to report such incidents immediately to security@doorbrief.com. The Company does not retaliate against good-faith security researchers who report vulnerabilities in accordance with responsible disclosure practices.

11. Disclosure Pursuant to Legal Process

The Company will not voluntarily disclose user data to any governmental authority, law enforcement agency, regulatory body, or other third party. Disclosure of user data will be made only in response to a valid and enforceable subpoena, court order, search warrant, or other legal process issued by a court of competent jurisdiction, and only to the extent required by such process. Where legally permissible, the Company will provide the affected user with advance notice of such disclosure to allow the user the opportunity to seek protective relief.

The Company reserves the right to challenge any legal process that it reasonably believes to be overbroad, unduly burdensome, or legally deficient, and to seek appropriate limitations on the scope of any compelled disclosure.

12. Third-Party Service Providers (Subprocessors)

The Company engages a limited number of third-party service providers (“Subprocessors”) in connection with the operation of the Service. Each Subprocessor is contractually obligated to process data solely in accordance with the Company’s instructions and to maintain security measures consistent with or exceeding those described in this Policy. The current list of Subprocessors is as follows:

• Supabase, Inc. — Authentication, database hosting, and encrypted file storage. SOC 2 Type II certified.
• Vercel, Inc. — Application hosting, edge network delivery, and serverless function execution. SOC 2 Type II certified.
• Stripe, Inc. — Payment processing and subscription billing. PCI DSS Level 1 certified.
• Resend (Loops, Inc.) — Transactional email delivery. DKIM/SPF/DMARC authenticated.
• xAI Corp. — AI-powered narrative generation via API. Data processed per request only, not retained, not used for model training. Receives only anonymized, pre-computed financial data as described in Section 3.

No Subprocessor receives data sufficient to independently identify any specific user, property owner, tenant, or property. The Company does not engage advertising networks, data brokers, or marketing analytics platforms as Subprocessors or in any other capacity.

13. Continuous Security Improvement

The Company is committed to the ongoing evaluation and improvement of its security posture. This includes, without limitation: periodic review and update of access control policies, monitoring of Subprocessor compliance certifications, adoption of emerging encryption standards and security best practices, and responsive remediation of identified vulnerabilities. The Company maintains an internal security review cadence and incorporates security considerations into all phases of the software development lifecycle.

14. Contact Information

For questions, concerns, or inquiries regarding this Security and Data Protection Policy, or to report a security vulnerability, please contact: