Security
Built for trust. Multi-tenant by design.
Every agency’s data is isolated at the database layer — not just in the app. Postgres row-level security enforces tenant separation on every row of every table. No app-layer mistake can leak data across agencies.
Architecture
agency_id on every row. RLS on every table.
Every query is scoped by agency_id from the JWT. No agency can read or write to another’s data — even if the app code asks for it.
Pillars
How we think about trust.
Isolation
Postgres RLS on every table. agency_id is required on every row. JWT carries agency_id + role as custom claims. The database refuses cross-agency queries — full stop.
Encryption
TLS 1.3 in transit. AES-256 at rest via Railway-managed Postgres. Secrets stored in environment, never committed. No customer data in logs.
Authentication
Auth.js v5: email + password, magic links, SSO (Google · Microsoft) on Team and Agency plans. Role-based access at the app layer, RLS at the data layer.
Backups & recovery
Daily automated backups, 30-day point-in-time recovery. Multi-region failover via Railway. Export your data any time as CSV or JSON — it's yours.
Data handling
You own your data. We just store it.
Your agency’s contacts, listings, pipelines and notes are yours. We don’t share them, sell them, train models on them, or look at them without a support reason and a record.
- No data sharing with third parties beyond the providers we name in the DPA
- CSV + JSON export at any time, for all your data
- Account closure: 30-day retention then permanent delete
- No customer data in production logs — IDs only
- Internal access is audited and requires a documented support reason
Where data lives
Postgres database
Railway · ap-south-1 (Mumbai) for India accounts · au-southeast-1 (Sydney) for AU/UK
File storage
Vercel Blob, scoped per agency_id
Cache
Upstash Redis · domain lookups only, 5-min TTL
Notifications
Twilio (WhatsApp) · Resend (email) · message bodies, no payloads stored long-term
Payments
Stripe · card data never touches our servers
Compliance posture
Where we are. Where we’re going.
We’re honest about what we have today and what’s on the roadmap. Auditing-as-a-marketing-claim is how trust gets lost.
GDPR-aligned
Data export, deletion, processor list in DPA
AU Privacy Act
Data residency in Sydney for AU accounts
DPIA available
On request for Agency plan
DPA
Standard agreement signable on request
SOC 2 Type I
Audit window planned · 2027
ISO 27001
Following SOC 2
Sub-processor portal
Self-service list with notification opt-ins
Bug bounty programme
After GA
Security FAQ
Questions principals actually ask.
India accounts: Mumbai (ap-south-1). AU + UK accounts: Sydney (au-southeast-1). EU support on the roadmap. Data does not cross regions without your written consent.
Only when you've raised a support ticket that requires it, with a documented reason logged against your account. We don't poke around for product reasons.
Your data is exported on request. 30-day retention after cancellation, then permanent delete. No clawback, no extra fees.
No. No customer data is used to train any model — ours or any third party's. The schema is being built as the substrate for future per-agency intelligence; that's opt-in only and never crosses agencies.
Notified within 72 hours per GDPR / Privacy Act standards. Cause, scope, impact and remediation steps documented publicly within 30 days.
Yes — DPA standard, DPIA available on the Agency plan. Email security@realhq.io and we'll route it.
Need a security review before signing up?
Email security@realhq.io and we’ll send the DPA, DPIA template, and our sub-processor list within one business day.