Login

Security

Security Overview

This Security Overview describes the general security measures and practices used to help protect information processed through PropioLedger, a product of Stilly Ventures, Inc..

Effective DateJune 1, 2026
Last UpdatedJune 11, 2026
Version1.2

Overview

We understand that customers trust PropioLedger with important property, financial, operational, renter, tenant, and company information. Protecting that information is a significant responsibility. This document is informational only and does not create contractual commitments, warranties, or guarantees.

PropioLedger is currently operating an invite-only private beta program and is accepting early access requests from prospective users.

Security Principles

PropioLedger's security practices are guided by several principles:

  • Protect customer information.
  • Limit unnecessary access.
  • Secure systems and infrastructure.
  • Monitor for abuse and misuse.
  • Continuously improve security practices as the platform grows.

Infrastructure Security

PropioLedger relies on reputable infrastructure and service providers to support hosting, databases, authentication, networking, content delivery, email delivery, security services, and optional mapping workflows.

  • Vercel for hosting, runtime infrastructure, routing, and platform security.
  • Supabase for authentication, database services, and row-level security enforcement.
  • Resend for transactional email delivery.
  • Geoapify, OpenStreetMap, or Nominatim for optional map and geocoding workflows.

Provider relationships may change over time as the platform evolves.

Encryption

Communications between users and PropioLedger are protected using HTTPS and Transport Layer Security (TLS) technologies. Where supported by underlying infrastructure providers, data may be protected using encryption-at-rest technologies. Specific encryption implementations may vary by service provider and deployment environment.

Authentication and Access Controls

Access to PropioLedger is restricted through Supabase authentication, session management, role-based permissions, company scoping, and account access controls. Application roles may include Company Admin, Company User, Read Only, application administration roles, and other access levels depending on platform configuration. Customer users are scoped to their assigned company, rental owner account, or portfolio unless they have application administration permissions.

Users are responsible for maintaining the confidentiality of their credentials, using strong passwords, and promptly reporting suspected unauthorized account access.

We may introduce optional or required multi-factor authentication for some accounts, roles, or workflows in the future.

Application Security

Security practices may include:

  • Authentication and authorization controls for protected routes and API actions.
  • Row-level security policies for company-owned database tables.
  • Server-side checks for company scope and role-based write permissions.
  • Input validation, error handling protections, logging, and audit records.
  • Dependency maintenance, software updates, and security patching.
  • Authorized cron routes protected by a dedicated cron secret.

Security controls may evolve as the platform grows.

Administrative Access and Impersonation Preview

Application admins can use company scope filters and impersonation preview for support and troubleshooting. Impersonation tokens are signed with a dedicated impersonation secret, expire after a limited period, and are separate from database service-role credentials. Mutation routes that check preview mode preserve read-only protections for impersonation preview.

Employee and Contractor Access

Access to customer information is limited to personnel who require access for legitimate business purposes, such as customer support, security investigations, system maintenance, compliance obligations, and product operations. Access permissions are reviewed and adjusted as needed.

Data Segregation

PropioLedger is designed to logically separate customer accounts and associated information. Most operational data is scoped by rental owner account or portfolio, and row-level security policies also enforce account access in the database. Customers are generally unable to access information belonging to other customer accounts.

Early access requests, waitlist information, beta invitation records, and related onboarding records are protected using the same access controls and administrative protections applied to other platform data.

Security Monitoring

PropioLedger may monitor systems and services for unauthorized access attempts, suspicious activity, abuse, availability issues, and security incidents. Monitoring practices may include automated and manual review processes. Activity logs are maintained for important workflows such as imports, rental changes, expense changes, notes, company and admin changes, invoice dispatches, and privacy request workflows.

Vulnerability Management

PropioLedger may periodically review platform security, apply software updates, apply security patches, and address identified vulnerabilities. Security improvements are prioritized based on risk and available resources.

Incident Response

If a security incident is identified, Stilly Ventures, Inc. may investigate the incident, contain affected systems, mitigate risk, restore affected services, and notify affected parties where required by law. Response actions will vary based on the nature and severity of the incident.

Customer Responsibilities

Customers also play an important role in maintaining security. Customers are responsible for:

  • Protecting account credentials and maintaining device security.
  • Using strong passwords and monitoring account activity.
  • Managing user access appropriately within their company.
  • Protecting information entered into the platform.
  • Collecting, using, and retaining renter, tenant, vendor, owner, and third-party information lawfully.

PropioLedger provides software tools only and does not provide legal or compliance advice.

Backups and Recovery

PropioLedger may utilize backup and recovery mechanisms provided by its infrastructure providers and operational processes to support business continuity and disaster recovery objectives. Backup frequency, retention, and recovery behavior may vary by provider, environment, and data type.

During the private beta, users should maintain independent copies of important records and financial information. While backups and recovery mechanisms may exist, beta environments may contain experimental functionality and should not be relied upon as the sole system of record.

Data Retention

Customer information is retained as described in our Privacy Policyand applicable customer workflows. Privacy rights request records and cookie consent records may be retained or purged according to configured compliance retention workflows. Retention can also be affected by legal obligations, account administration needs, backups, financial recordkeeping, dispute resolution, and security requirements.

Third-Party Service Providers

PropioLedger utilizes third-party service providers to operate portions of the platform. These providers may process information on behalf of Stilly Ventures, Inc.. Examples include providers supporting hosting, databases, authentication, email delivery, security services, maps, geocoding, and future payment processing if paid subscriptions are enabled.

Compliance

PropioLedger is designed with privacy and security considerations in mind. Current privacy-related practices include cookie consent management, privacy rights request processes, Global Privacy Control recognition, privacy policy disclosures, access controls, and compliance retention workflows.

PropioLedger does not currently claim third-party security certifications, audit reports, or compliance attestations unless they are separately published after formal completion.

Secret Handling

Server-only secrets, such as service-role database credentials, email API keys, cron secrets, geocoding API keys, and impersonation signing secrets, are intended to remain server-side. Local environment files are ignored by source control, and public browser-visible configuration uses `NEXT_PUBLIC_*` variables where appropriate.

Reporting Security Issues

If you believe you have identified a security issue relating to PropioLedger, please contactStilly Ventures, Inc. at propio_privacy@stillyventures.com, through the Contact Us page, or through the Contact Us functionality available on the website or within the application.

Please provide a description of the issue, steps to reproduce, relevant screenshots or details, and contact information. We appreciate responsible disclosure of security concerns.

Changes to This Security Overview

This Security Overview may be updated periodically to reflect changes in infrastructure, security practices, service providers, legal requirements, and business operations. The most current version will be available through the Terms & Policies Center.

Disclaimer

This Security Overview is provided for informational purposes only. Nothing in this document creates contractual obligations, guarantees, warranties, or representations regarding security, availability, or performance. No security measure can guarantee complete protection against all threats or risks.