AES-256 encryption everywhere
Every byte is encrypted in transit (TLS 1.3) and at rest (AES-256). Database, file storage, and backups all encrypted.
Security & Compliance
Bank-grade security for buildings, not vague promises.
Every PropOS account is encrypted, audited, and role-segregated by default. Compliance with Loi 09-08 (Morocco), GDPR (EU), and Code de Commerce retention is built into the product, not stapled on.
Role-based access at the database level
A syndic sees their buildings. A resident sees their unit. Enforced by Firebase security rules and re-checked on every server action.
Tamper-proof audit log
Every state change writes an audit log entry with actor + timestamp + before/after. AGM presidents can review the full trail.
Server-side AI
AI calls go through our backend. Your resident names, addresses, and financial figures never appear in third-party logs.
No third-party trackers
No Google Analytics, Meta Pixel, or hotjar on /pricing, /features, /contact. Only first-party privacy-respecting analytics.
Daily backups, 30-day retention
Database and file storage backed up daily, retained for 30 days. RPO ≤ 24h, RTO ≤ 4h on Professional and SmartSyndic plans.
Legal & regulatory
Compliance, mapped to articles.
PropOS is built by Moroccan engineers who read the laws. Here's how each regulation maps to a concrete feature you can see in the product.
Loi 09-08
Moroccan data protection
Article 7 right of access (one-click JSON export), Article 8 rectification, Article 9 erasure (30-day soft delete). Local CNDP registration in progress.
Loi 18-00
Moroccan condominium statute
AGM workflows, syndic election traceability, account-of-charges format, Mise en Demeure compliance with article 36 — built into the data model.
GDPR
EU data protection
For Moroccan buildings with EU residents or owners abroad: full GDPR rights (access, rectification, erasure, portability), DPA available on request, no transfer to non-adequacy countries.
Code de Commerce
Financial record retention
Accounting records (invoices, transactions, AGM minutes) retained for 10 years per Moroccan Code de Commerce. Audit log preserved separately even after a user requests account deletion.
Frequently asked
Security FAQ.
Where is my data hosted?
Firebase / Google Cloud, region europe-west1 (Belgium) by default. We can configure other regions on enterprise plans. No data leaves the EU/Morocco corridor unless you enable a third-party integration that requires it (and you control which).
Can your team see my building data?
No engineer or support agent can read raw database contents in normal operation. Production access requires a break-glass procedure that is logged and reviewed weekly. Customer support cases never include resident PII unless you explicitly share it.
What happens if I cancel?
Your data is yours. Export to JSON/CSV from /settings/security. We retain accounting records for 10 years (legal minimum) but PII is deleted within 30 days of cancellation. No lock-in.
Do you have a bug bounty?
Yes — responsible disclosure at security@propos.app. Critical vulnerabilities get a same-day acknowledgement. We publish CVE-style advisories for any incident affecting customer data.
How is my password stored?
PropOS uses Firebase Authentication; passwords are stored as scrypt hashes (industry-leading slow function), salted per user. We never see the cleartext password. Optional 2FA via TOTP.
Are AI prompts logged?
We log the action (which feature called the AI), the actor, and the timestamp — never the prompt content or response content. OpenAI/DeepSeek's own policies apply to what they store on their side; both offer zero-data-retention modes that we use by default on enterprise plans.
Report a vulnerability
Found a security issue?
Email security@propos.app with a description and reproduction steps. We acknowledge within 24 hours, fix critical issues within 7 days, and credit you in our public advisory log if you want.
Please do not file a public GitHub issue or contact support — security reports stay private until a fix is shipped.
What we consider in scope
- ✓ Authentication or authorization bypasses
- ✓ Database injection or data-leak vectors
- ✓ XSS, CSRF, SSRF in the web app
- ✓ Stripe webhook signature bypass
- ✓ AI prompt-injection that exfiltrates other users' data
Coordinated disclosure window: 90 days before public CVE.
Trust by design, not by promise.
See the security model in action. Start a free 30-day trial — no card.