Trust portalTrust CenterSecurityData Protection

Trust Center

The record of how PropFlow has changed.

Safeguards we added, process we tightened, things we corrected, and what is on the roadmap — dated and in plain language. For the full posture, read Security and Data Protection.

Contact routes

Named inboxes with a human on the other side. Include the details below in your first message and we can skip the usual back-and-forth.

Security research + coordinated disclosure

Vulnerability reports, penetration-test findings, and coordinated disclosure from outside researchers.

Include in your first message

  • Reproduction steps, affected URL or endpoint, and rough severity.
  • Your preferred name and whether you want public credit on disclosure.
  • Any PoC artifacts — link or attach; do not include live tenant data.

Tenant data, DSRs, and DPA requests

Data subject requests, DPA signature, subprocessor change notifications, and tenant PII questions.

Include in your first message

  • The tenant or account identifier you are asking about.
  • The specific right you are exercising — access, deletion, correction, portability.
  • Your relationship to the account: tenant, operator, or authorized agent.

Operators using PropFlow day-to-day

Account issues, Clara behavior questions, work-order disputes, and anything blocking a property team right now.

Include in your first message

  • Property name and the unit or prospect involved, if relevant.
  • What you expected to happen vs. what actually happened.
  • Screenshot or message ID when the issue is visible in the UI.

Press and partnerships

Media inquiries, co-marketing, and integration partnerships. We prefer short first notes over briefing decks.

Include in your first message

  • Outlet or company, and the angle you are working on.
  • Your deadline, if there is one.
  • Whether the request is on or off the record.

What this page won’t do

Our editorial stance on what belongs here and what does not.

  • We do not publish a cert grid we have not earned. SOC 2, HIPAA, ISO 27001, PCI — not claimed, not implied.

  • We do not quote retention periods we have not reviewed against the running system in the last quarter.

  • We do not list customer audit counts, pentest counts, or logos we have not been cleared to show.

  • We do not answer security questionnaires from a template. Reviewers get responses written against the actual controls.

AI safety & compliance

Four questions Legal and Procurement ask about any AI system — answered by architecture, not by policy documents.

For your Legal / Risk team

Trust is an architecture, not a promise. Open any row.

Procurement asks four questions: what can the AI say, how do you know what it did, what happens when it’s wrong, and where does our data go. Here are the four rows that answer them — built in, not bolted on, not in a separate “AI ethics” deck.

  • Every inbound SMS is checked for regulated keywords before it reaches Clara. STOP, START, and HELP are answered by a fixed, non-AI handler — the tenant gets the legally required response, the opt-out state is recorded, and Clara is not invoked on that message. Consent is captured and logged at sign-up with IP, user-agent, and timestamp, and every inbound is validated against that record. There is no path where the AI can accidentally reply after an opt-out, because the AI never receives the message.

    What happens
    Opt-out keywords answered by fixed code, not the AI
    Consent record
    IP, user-agent, and timestamp captured at sign-up, checked on every inbound
    On opt-out
    Tenant receives the legally required reply; Clara is not invoked
    Audit
    Every inbound logged with the intercept verdict before any AI processing

Commitments we stand behind

Not a badge wall. Four practices that are wired into the product, plus one we are still working toward.

TCPA keywords at the edge

STOP, START, and HELP intercepted before the agent loop runs. Consent captured with IP, user agent, and timestamp.

Fair Housing screening

Every outbound leasing reply is screened for Fair Housing violations before send. Failures block the message.

Full audit trail per message

Every tool call, decision, and outbound reply is logged with full context and exportable on request.

Human-in-the-loop on dispatch

Work orders need operator approval before a vendor is dispatched. Sensitive cases escalate to a named human.

Third-party security review

In progress. Scope set, reviewer selection underway. No attestation claim until the report lands.