How we keep your data safe.

Modern Management handles sensitive property-management data: resident contact information, payment records, lease details, and communications. We take protecting that data seriously. This page explains the technical and organizational measures we use.

Data Encryption

In transit: all traffic between your browser and Modern Management, and between Modern Management and our subprocessors, is encrypted using TLS 1.3 (with TLS 1.2 as a fallback for legacy clients). HTTP connections are automatically redirected to HTTPS. API endpoints reject unencrypted requests.

At rest: application data is stored in a managed PostgreSQL database hosted by Neon. Neon encrypts all data at rest using industry-standard AES-256 encryption. Database backups are likewise encrypted.

Passwords are never stored in plaintext. They are hashed using bcrypt with a per-user salt and an appropriate cost factor, so even a full database compromise would not expose usable credentials.

Backups and Disaster Recovery

Backup and recovery: Our managed database provider (Neon) performs automated backups with point-in-time recovery capabilities. Our internal recovery point objective (RPO) is 24 hours, meaning we expect to be able to restore data to a point within the last 24 hours in the event of a database-level incident. Our recovery time objective (RTO) for critical services is 4 hours. These targets may evolve as we grow.

Data Isolation

Modern Management is a multi-tenant platform, but every row of customer data is scoped to a specific workspace. Isolation is enforced at multiple layers:

• Per-workspace user_id scoping: every table that contains customer data (contacts, rent records, messages, tasks, calendar events, knowledge base entries, etc.) includes a user_id column. All database queries are filtered by user_id at the application layer — no query returns data from another workspace.
• Session-scoped data access: API requests must carry a valid session cookie. The server resolves the session to a user_id and injects that ID into every query. You cannot override or spoof the user_id from the client.
• AI context isolation: when the AI command bar is invoked, the context snapshot sent to Anthropic's API is assembled server-side using the session's user_id as the scope. The AI never sees data from any other workspace.

Authentication

Access to the Service is controlled by session-based authentication:

• Password hashing: user passwords are hashed with bcrypt. Plaintext passwords are never logged, stored, or retained.
• Session cookies: successful login issues a session cookie with a 24-hour expiration. Cookies are flagged HttpOnly, Secure, and SameSite to mitigate XSS and CSRF risks.
• Session storage: session records are stored server-side in PostgreSQL (not in JWTs), so we can revoke a session instantly by deleting its row. On logout, the session row is removed.
• Brute-force resistance: login endpoints are rate-limited, and repeated failed attempts trigger backoff.

Administrative Access

Access to production systems, including the database, application servers, and third-party service consoles (Stripe, Twilio, SendGrid, Neon, Render, Anthropic), is limited to authorized personnel on a need-to-know basis. As a solo-founder operation, this currently means only the founder has production access. As the team grows, we will implement role-based access controls, multi-factor authentication on all administrative accounts, and periodic access reviews.

Subprocessors

We use a small, vetted set of third-party services to operate the platform (AI processing, SMS, email, database hosting, payments, application hosting). Each is contractually bound to protect your data and use it only to provide services to us.

A full, up-to-date list — including what data each subprocessor sees — is maintained in our Privacy Policy.

Incident Response Contact

If you suspect a security incident affecting Modern Management or your account, report it to us immediately:

• Security contact: security@modernmanagementapp.com

We aim to acknowledge reports within one business day and provide an initial assessment within three business days. In the event of a confirmed incident that affects your data, we will notify you without undue delay and in accordance with applicable law.

Responsible Disclosure

If you are a security researcher or have discovered a vulnerability in the Service, we welcome your report. Please send details to security@modernmanagementapp.com and follow these guidelines:

• Provide enough detail for us to reproduce the issue (URL, request, reproduction steps, impact).
• Give us a reasonable period to investigate and remediate before public disclosure — typically 90 days, or longer for severe issues.
• Do not access or modify data belonging to other users. Use only test accounts you control.
• Do not perform destructive testing, denial-of-service attacks, or social engineering against our staff.
• Do not violate any laws or the rights of any third party during your research.

We will acknowledge every good-faith report, keep you informed of our progress, and publicly credit you for the discovery (with your permission) once the issue is fixed.

Vulnerability Management and Compliance

Vulnerability management: We use automated dependency scanning (npm audit and similar) to identify known vulnerabilities in our open-source dependencies. Critical and high-severity issues are patched promptly upon discovery.

Compliance roadmap: Modern Management is an early-stage product. We are committed to evolving our security practices as we grow, and we intend to pursue formal security certifications (such as SOC 2 Type I and Type II) as our customer base expands to include organizations with formal vendor assessment requirements. If you are evaluating Modern Management for a context that requires specific compliance posture, contact security@modernmanagementapp.com to discuss.