Skip to main content
Security · Last updated May 1, 2026

Security & Responsible Disclosure

If you've found a security issue in appraisal-OS, thank you for letting us know. This page describes how to report it, what's in scope, and the controls we use to protect customer appraisal data.

1. Reporting a Vulnerability

Email security@appraisal-os.com with reproduction steps and impact. Please don't publicly disclose until we've had a chance to respond. We acknowledge reports within 48 hours and will keep you updated through remediation.

2. Scope

In scope: the appraisal-OS web application at appraisal-os.com, its public API endpoints, and any storefronts under /a/<slug>. Out of scope: third-party services we integrate with (Supabase, Anthropic, ATTOM, etc.) — report those directly to the vendor.

3. Bug Bounty

No formal bug bounty program at this time. We'll acknowledge and credit researchers (with your permission) for valid reports. As the platform grows we'll revisit this.

4. Data Isolation

Every tenant's data is isolated by account scope enforced at the database layer (PostgreSQL row-level security). Appraisal-OS does not use one customer's data to benefit another customer. We do not train AI models on customer appraisal data.

5. Encryption

All data in transit is protected by TLS 1.2+. Data at rest is encrypted using Supabase's managed Postgres with disk-level encryption. API keys and secrets are stored in Vercel's encrypted environment variable store — never checked into source control.

6. Authentication & Access

Authentication uses Supabase Auth (JWT-based sessions). Owner and administrative privileges are scoped by role, not by hardcoded identity. Production credentials rotate when personnel changes occur.

7. USPAP & Appraiser Confidentiality

appraisal-OS is designed for use by licensed appraisers under USPAP. Confidential information and assignment results are accessible only to the authoring appraiser, their designated reviewers/supervisors, and the client for whom the assignment was commissioned. We treat borrower-identifying data with the same handling rules an appraiser would apply to a workfile.

8. Compliance Status

SOC 2 Type I audit in planning; not yet certified. We'll publish the attestation when available. In the meantime, specific security controls, incident history, and vendor questionnaires are available to enterprise customers under NDA — contact security@appraisal-os.com.

9. security.txt

We publish a machine-readable security contact file at /.well-known/security.txt.