Help Center
Go back to application
Help Center
Go back to application
New article 79Security at DoorSpot
Introduction to DoorSpot

Security at DoorSpot

Last Updated: November 6, 2025

This document provides a comprehensive overview of DoorSpot's security model, data protection practices, and commitment to safeguarding your information. We understand that as a property management platform, we handle sensitive tenant, owner, and financial data, and security is our highest priority.

Security Philosophy

At DoorSpot, we believe security is not a feature—it's a foundation. Our platform is built with security-first principles:

  • Defense in Depth: Multiple layers of security controls protect your data
  • Zero Trust Architecture: Every request is authenticated and authorized
  • Least Privilege Access: Users have only the permissions they need
  • Continuous Monitoring: Real-time tracking of security events and anomalies
  • Regular Updates: Ongoing security improvements and vulnerability remediation

Authentication & Access Control

Secure Authentication

JWT-Based Authentication

  • Industry-standard JSON Web Tokens (JWT) with industry-standard signing algorithms
  • Unique signing keys per user for enhanced security
  • Short-lived access tokens that are automatically refreshed
  • Secure token transmission via HTTPS-only connections

Multi-Factor Authentication (2FA)

  • Optional Google Authenticator integration for time-based one-time passwords (TOTP)
  • Numerous recovery backup codes for account recovery
  • Temporary authentication tokens for 2FA verification
  • Industry-standard authentication flow

Password Security

  • Bcrypt password hashing with industry-standard cost factors
  • No password storage in plaintext
  • Secure password reset flow with time-limited tokens
  • Password validation on all authentication attempts

Granular Access Control

Role-Based Access Control (RBAC)

  • Multiple distinct user roles with varying permission levels
  • Permission gates for fine-grained authorization
  • Emergency access procedures with full audit trail
  • Role validation on every request

Multi-Tenancy & Data Isolation

  • Strict data isolation ensuring complete organizational data separation
  • User context switching with full audit trails
  • Comprehensive data boundary protections

Session Management

  • Limited-duration refresh tokens
  • IP address and user-agent validation on token refresh
  • Automatic token rotation on renewal
  • Session revocation on logout

Data Encryption & Protection

Encryption Standards

Data in Transit

  • TLS 1.2+ encryption for all API communications
  • HTTPS-only connections (no unencrypted HTTP)
  • Secure WebSocket connections for real-time features
  • Certificate pinning for API clients

Data at Rest

  • AES-256 encryption for application-level secrets
  • Bcrypt password hashing for user credentials
  • Field-level encryption for sensitive PII
  • Encrypted database backups

Cookie Security

  • Secure cookie configuration with CSRF protection
  • HttpOnly and Secure flags enforced
  • Production-grade cookie hardening

Sensitive Data Handling

Protected Information

  • User credentials: Securely hashed, never logged
  • Authentication secrets: Encrypted with per-user keys
  • Financial identifiers: Field-level encryption
  • Payment methods: Fully tokenized via PCI-DSS Level 1 provider

API Response Protection

Sensitive fields are never exposed in API responses, including authentication secrets, payment details, and internal identifiers.

API Security & Rate Limiting

Request Protection

Rate Limiting

  • Rate limiting enforced on all endpoints with dynamic throttling based on usage patterns
  • IP-based throttling for unauthenticated requests
  • Automatic retry-after headers for rate limit responses

CORS Policy

  • Strict origin whitelist
  • Credentials support for authenticated requests
  • Exposed headers limited to operational requirements

Input Validation

  • Comprehensive request validation on all endpoints
  • Type coercion and format validation
  • Array and nested structure validation
  • SQL injection prevention via parameterized queries
  • String trimming and sanitization

Middleware Security Stack

Layered Protection

  • JWT token validation on every API request
  • Automatic token refresh in response headers
  • CSRF protection for session-based endpoints
  • Proxy trust configuration for accurate IP logging
  • Request/response logging for security monitoring
  • Specialized middleware for privileged operations and error tracking

Audit Logging & Monitoring

Comprehensive Audit Trail

What We Log

  • Comprehensive audit coverage across all critical data models
  • User authentication events (login, logout, failed attempts)
  • Permission and role changes
  • Financial transactions
  • Sensitive operations
  • API requests with IP address, user agent, and URL

Audit Details

Every audit record captures:

  • Who: User ID and associated person/contact
  • What: Event type and human-readable description
  • When: Precise timestamp
  • Where: IP address and geographic context
  • How: User agent (browser/device information)
  • Before/After: Old and new values for all changes

Retention & Access

  • Database audit logs retained indefinitely
  • File-based logs retained in accordance with our data retention policy
  • Audit detail reconstruction for compliance reporting
  • Journey tracking for individual contacts and companies

Real-Time Monitoring

Error Tracking & Alerting

  • Real-time error monitoring and alerting
  • Automated notifications for critical errors
  • Automatic exception reporting with stack traces
  • Performance monitoring for database queries and API calls

Security Event Monitoring

  • Failed authentication attempt tracking
  • Unusual access pattern detection
  • Payment processing error alerts
  • Third-party integration failure notifications

Third-Party Integrations

We carefully select and integrate with industry-leading service providers to enhance our platform while maintaining security:

Payment Processing

Stripe (PCI-DSS Level 1 Service Provider)

  • Payment card tokenization (no card data stored by DoorSpot)
  • Bank account verification
  • ACH and credit card payment processing
  • Webhook signature verification
  • Connect platform for owner payouts

Plaid (SOC 2 Type II Certified)

  • Bank account linking and verification
  • Transaction history syncing
  • Secure credential exchange

Communications

Twilio (SOC 2 Type II Certified)

  • SMS messaging and delivery tracking
  • Phone number verification
  • Message status tracking

SendGrid / Mailgun

  • Transactional email delivery
  • Email tracking and analytics
  • Bounce and spam handling

Background Screening

TransUnion

  • Rental history verification
  • Credit and background checks
  • Tenant screening reports
  • Compliance with Fair Credit Reporting Act (FCRA)

Security Measures for Integrations

  • API Key Management: All credentials stored in environment variables
  • Webhook Verification: Cryptographic signature validation for all webhooks
  • Rate Limiting: Throttling on all webhook endpoints
  • Error Handling: Comprehensive logging of integration failures
  • Data Minimization: Only necessary data shared with third parties

Compliance & Certifications

Industry Standards

Payment Card Industry Data Security Standard (PCI-DSS)

  • Level 1 compliance via Stripe partnership
  • No card data stored on DoorSpot servers
  • Tokenized payment methods
  • Annual compliance validation

Data Privacy Regulations

GDPR Compliance (General Data Protection Regulation)

  • Lawful basis for data processing
  • User consent management
  • Data portability capabilities
  • Right to access personal data

CCPA Compliance (California Consumer Privacy Act)

  • Privacy policy disclosure
  • Data collection transparency
  • Consumer rights respect (access, deletion, opt-out)

Security Best Practices

  • Soft Deletes: Preserves data integrity while allowing restoration
  • Audit Trails: Complete history of all data modifications
  • Data Minimization: Collect only necessary information
  • Purpose Limitation: Data used only for stated purposes
  • Access Controls: Role-based permissions and least privilege

Data Privacy & Retention

What Data We Collect

User Information

  • Email addresses (for authentication and communication)
  • Names and contact details
  • Password hashes (bcrypt, never plaintext)
  • Login timestamps and IP addresses

Property Management Data

  • Property and unit details
  • Tenant and owner information
  • Lease agreements and terms
  • Rental application data

Financial Data

  • Invoice and payment records
  • Bank account tokens (via Plaid)
  • Payment card tokens (via Stripe)
  • Transaction history

How We Protect Your Data

Access Controls

  • Multi-factor authentication for privileged accounts
  • Role-based access control
  • Client-based data isolation
  • IP address logging

Data Retention

  • Financial records: Retained per legal and regulatory requirements
  • Audit logs: Retained indefinitely for compliance
  • Application logs: Retained in accordance with our data retention policy
  • Soft-deleted data: Restorable until permanently purged

Data Deletion

  • User-initiated account deletion supported
  • Cascade deletion of associated records
  • Audit trail preservation for compliance
  • GDPR right-to-be-forgotten processes

Data Sharing

We never sell your data to third parties. Data is shared only with:

  • Service providers necessary for platform operation (see Third-Party Integrations)
  • Legal authorities when required by law
  • Your authorized users within your organization

Incident Response

Our Commitment

In the unlikely event of a security incident:

  1. Detection: Real-time monitoring and alerting systems
  2. Containment: Immediate isolation of affected systems
  3. Investigation: Forensic analysis to determine scope and impact
  4. Notification: Timely communication to affected users
  5. Remediation: Fixes and enhanced controls to prevent recurrence
  6. Review: Post-incident analysis and security improvements

User Notification

  • Affected users notified within 72 hours of discovery
  • Clear communication about incident scope and impact
  • Recommended actions for affected users
  • Updates throughout investigation and remediation

Continuous Improvement

  • Regular security audits and penetration testing
  • Vulnerability scanning and patching
  • Security training for development team
  • Third-party security assessments

Contact & Security Reporting

Report Security Vulnerabilities

If you discover a security vulnerability, please report it responsibly:

  • Email: security@doorspot.com (monitored 24/7)
  • Scope: DoorSpot API, web application, mobile apps
  • Response Time: Acknowledgment within 24 hours

What to Include

  • Detailed description of the vulnerability
  • Steps to reproduce
  • Potential impact assessment
  • Your contact information (for follow-up)

Our Commitment

  • We will not pursue legal action against good-faith security researchers
  • We will acknowledge your contribution (with your permission)
  • We will provide updates on remediation progress
  • We may offer bug bounty rewards for significant findings

Security Questions

For general security questions or concerns:

Security Roadmap

We continuously evaluate and enhance our security posture through regular assessments, industry best practice adoption, and proactive security improvements.

Conclusion

Your trust is our most valuable asset. We are committed to maintaining the highest security standards to protect your data and privacy. This document is regularly updated to reflect our current security practices.

For the most up-to-date information, please visit our security page or contact our security team.

Thank you for trusting DoorSpot with your property management needs.

This document was last reviewed on November 6, 2025. For questions or concerns, please contact security@doorspot.com.

Was this article helpful?

Powered by Product Fruits