Security & Data Protection
How we protect your data and respond to incidents
Security Measures
Encryption in Transit
TLS/HTTPS enforced on all connections
Password Hashing
Passwords hashed with bcrypt — never stored in plain text
Database Encryption at Rest
Neon managed PostgreSQL with encryption at rest
JWT Authentication
JWT-based authentication with HTTP-only cookies
Role-Based Access Controls
Granular permissions based on user roles
CSRF Protection
CSRF protection on all sensitive operations
Rate Limiting
Rate limiting on authentication endpoints
Audit Logging
Comprehensive audit logging of all data access
Data Breach Response Plan
Phase 1: Detection & Assessment (0–4 hours)
- •Automated monitoring systems alert on suspicious activity
- •Security team assesses scope and severity
- •Classification levels:
Phase 2: Containment (4–12 hours)
- •Isolate affected systems
- •Revoke compromised credentials
- •Rotate API keys (OpenAI, Stripe, Perplexity, ElevenLabs)
- •Preserve evidence for investigation
- •Engage incident response team
Phase 3: Notification (Within 72 hours — GDPR requirement)
- •Notify supervisory authorities (for EU users)
- •Notify affected users via email with:
— What happened
— What data was affected
— What we're doing about it
— What users should do (change passwords, monitor accounts)
— Contact information for questions
- •Notify Stripe if payment data is involved
- •Public disclosure if required by scale
Phase 4: Remediation (1–30 days)
- •Fix the vulnerability that was exploited
- •Force password resets for affected accounts
- •Enhanced monitoring of affected systems
- •Third-party security audit
- •Update security measures
Phase 5: Post-Incident Review (30–90 days)
- •Root cause analysis report
- •Update incident response procedures
- •Additional security training
- •Review and update all vendor DPAs
- •Communicate improvements to users
Contact for Security Issues
Email: security@listinggptpro.com
Response time: Within 24 hours for all reports
Policy: Responsible disclosure policy
Data Retention Schedule
| Data Type | Retention Period | Legal Basis |
|---|---|---|
| Account profile data | Duration of account + 90 days | Contract performance |
| Property listings | Duration of account | Contract performance |
| AI-generated content | Duration of account | Contract performance |
| Payment/transaction records | 7 years | Tax/legal obligation |
| Security & audit logs | 3 years | Legitimate interest |
| Password reset tokens | 24 hours | Security |
| Rate limiting records | 30 days | Security |
| Cookie consent records | 2 years | Legal compliance |
| Support tickets | 3 years | Legitimate interest |
| Deleted account data | 14-day grace, then permanent deletion | GDPR compliance |
| Email unsubscribe records | Permanent | CAN-SPAM compliance |
Automated Data Cleanup
Expired password reset tokens
Cleaned daily
Rate limiting records older than 30 days
Cleaned weekly
Accounts pending deletion past grace period
Processed daily
Inactive unverified accounts
Cleaned after 30 days
Compliance Certifications
GDPR Aligned
EU data protection
CCPA/CPRA Compliant
California privacy
PCI DSS
Handled by Stripe — we never store card data
Fair Housing Act
AI compliance scanning on all generated content
PIPEDA Aligned
Canadian data protection
For compliance inquiries, contact compliance@listinggptpro.com