DwellPort sits across three sensitive surfaces — tenant PII, financial trust accounts, and physical access control. The bar is the union of all three.

Transport & storage

• TLS 1.3 by default for all API and webhook traffic. HSTS preload, no insecure ciphers.
• At-rest encryption on Postgres for tenant PII, financial records, and ALPR plate logs.
• Tokenized payment data via our processor — we never store raw bank or card numbers.
• Plate-image retention defaults to 60 days, configurable per property, capped per state law.

Identity & access

• SSO via SAML and OIDC. SCIM provisioning on Community and above.
• RBAC: owner, property manager, leasing agent, accountant, maintenance dispatcher, gate guard, board member, resident, owner-investor, vendor.
• Per-property scoping — vendors and guards see only what they need.
• Two-factor authentication required for admin roles and any role with payment-initiation permissions.

ALPR / privacy compliance

• Plates only — no facial recognition. BIPA-clear in Illinois; not regulated as biometric data in most states.
• Per-state retention windows (CA, NH, ME, VT have explicit caps) enforced automatically.
• Resident notice template included for leases (required in some jurisdictions).
• Per-resident "do not log" opt-out where required.
• Data subject access requests (DSAR) supported via the privacy team.

Trust accounting compliance

• Segregated trust / escrow accounts (state broker rules respected).
• Daily three-way reconciliation (book / bank / trust).
• SOC 1 Type II controls for financial systems on the roadmap.
• State-specific deposit-handling rules enforced (timing, interest, return).

Auditability

• Every administrative action recorded with actor, timestamp, before/after diff.
• Every gate event logged with plate, confidence score, host resident (if any), and any guard action.
• Hash-chained audit log on Enterprise — tamper-evident, exportable.

Build & supply chain

• Reproducible builds. SBOM published per release.
• Container images signed with Cosign.
• Pinned dependencies, automated CVE scans.
• SOC 2 Type II audit in progress, target 2026 H2.

Hosting

• DwellPort Cloud: US (Virginia + Oregon) regions on tier-1 providers.
• On-premise recognizer available for customers who want plate inference inside their own network.

Responsible disclosure

Found a security issue? Email security@dwellport.com. We respond within one business day, triage within three, and credit researchers in the changelog (with permission).

Our security.txt has the latest contacts and PGP key.