Your data, your control

All sensitive data is encrypted at rest using AES-256 and in transit using TLS 1.3. Your MLS credentials, property data, and appraisal workfiles are never stored in plaintext.

• AES-256 encryption for all credentials and sensitive fields at rest
• TLS 1.3 enforced on all connections between your browser, our API, and storage
• Database-level encryption via Supabase (pgcrypto) for columns containing PII
• Encryption keys managed through a dedicated secrets manager, rotated regularly

Every database table enforces row-level security policies. You can only access assignments, comps, and workfiles that belong to your account. Even at the API layer, a compromised token cannot access another user's data.

• Supabase RLS policies on every table ensure strict tenant isolation
• Queries are filtered at the database level, not the application level
• Service-role keys are never exposed to the client
• Automated tests validate RLS policies on every deployment

Your MLS and data-source credentials are encrypted before they leave your browser. They are decrypted only inside a sandboxed agent execution environment, used once, and wiped immediately after.

• Credentials encrypted client-side before transmission
• Decrypted only in ephemeral, sandboxed execution environments
• Never written to logs, disk, or long-term storage in plaintext
• Execution environment memory wiped after each agent run
• You can revoke stored credentials at any time from your dashboard

Every action taken by our cloud agents is logged in an append-only audit trail. Each log entry includes a timestamp, the action performed, the data accessed, and a screenshot of the source.

• Append-only log table: records cannot be modified or deleted
• Every agent action logged with timestamp, action type, and result
• Screenshots captured at each step for full visual provenance
• Supports USPAP workfile requirements for documentation
• Exportable audit reports for regulatory review

ValueSwell runs on infrastructure from SOC 2 certified providers. Our backend is hosted on Supabase (backed by AWS), with edge functions running in isolated environments.

• Supabase (AWS-backed) for database, auth, and storage
• Vercel for frontend hosting with automatic DDoS protection
• All infrastructure providers maintain SOC 2 Type II compliance
• Regular penetration testing and vulnerability scanning
• Automatic security patches and dependency updates

Email/password authentication with support for multi-factor authentication (MFA). Sessions are managed with short-lived JWTs and secure refresh tokens.

• Supabase Auth with bcrypt-hashed passwords (never stored in plaintext)
• TOTP-based multi-factor authentication (MFA) support
• Short-lived JWT access tokens (1 hour) with secure refresh rotation
• Session revocation from your security settings
• Brute-force protection with rate limiting and account lockout

All uploaded files (photos, screenshots, workfiles) are stored in private Supabase Storage buckets. Access is granted via signed URLs that expire after a short time window.

• Private storage buckets: no public access to any uploaded file
• Signed URLs generated server-side with configurable expiration
• Default URL expiration: 15 minutes for screenshots, 1 hour for reports
• Files are encrypted at rest in the storage backend
• Automatic cleanup of orphaned or expired temporary files

Our audit trail and documentation system is designed to meet USPAP workfile requirements. Every data source, agent action, and appraiser decision is documented with timestamps and provenance.

• Complete data provenance: every value traced back to its source
• Screenshots of MLS listings, county records, and map data preserved
• Appraiser overrides and judgment calls logged with reasons
• Workfile export includes full audit trail and source documentation
• Retention policies aligned with USPAP 5-year minimum requirement