Security & data handling

The homeowner's data isn't here — by design.

Restoration is a vertical where one bad actor poisons the well for everyone. FireSignal is engineered to make the worst-case use of the product structurally impossible — not just AUP-prohibited.

No homeowner PII, ever

The properties table is schema-locked against owner names, owner mailing addresses, and phone numbers. The TCAD bulk parser drops those fields at parse stage; they never reach the database. An automated check blocks any deploy that tries to add one back.

One customer can't see another

Per-customer data isolation is enforced inside the database itself, not just in app code. Subscribers, alerts, territories, and webhook deliveries are all scoped at the row level. An application-layer bug cannot accidentally leak another customer's data.

Append-only TCPA consent log

Every opt-in is written to an append-only ledger with the exact consent text version, IP, user agent, timestamp, and the phone number consenting. We can produce the exact record any regulator or carrier might ask for, including the consent text shown at the time.

Defense-in-depth synthetic isolation

The 15-minute synthetic monitoring probe is kept out of real customer territories by four independent guards: origin flag on the incident row, geofenced bbox the territory tool refuses to overlap, phone allowlist on the SMS wrapper, and a routing assertion that quarantines any cross-leak.

Encryption at rest and in transit

Customer data is encrypted on disk (AES-256) and across the network (TLS 1.2+). The site is served over HTTPS only. Database credentials are scoped per environment, with no shared keys between staging and production.

Webhook delivery is signed

Outbound webhooks are signed with HMAC-SHA256 over the request body. Signatures are tied to a rotatable per-destination secret you control. We retry with exponential backoff and surface every delivery attempt in the dashboard.

If something goes wrong

Written runbooks. Real response.

Breach notification (Tex. Bus. & Com. Code Ch. 521)

A written runbook governs the discovery → triage → notification workflow within the 60-day clock Texas law requires. Affected individuals get a Ch. 521-conforming notice; if 250+ Texans are affected, the AG is notified inside the same window. Cyber-insurance coordination is built into the runbook.

Subpoena and law-enforcement requests

Subpoenas and warrants get an independent callback verification before any production. Subscribers are notified unless the request includes a valid gag order. Data is produced minimally — only what's specified in scope — with metadata preserved and a chain-of-custody manifest with hashes.

Complaint handling

Intake at /complaint with 24-hour acknowledgement. Investigations follow a warning → suspension → termination workflow with a 7-day appeal window. Press inquiries get a dedicated template that protects subscriber privacy.

Disclosure

Found a bug? We'll credit you.

Vulnerability disclosure

Found a vulnerability? Email security@getfiresignal.com. We don't run a paid bounty yet, but we acknowledge every report within 48 hours and we credit researchers (with your permission) in the resolution post on the status page.

Please don't test against the live system without coordination — we'll happily spin up a staging environment for you. No legal action will be taken against good-faith research conducted within the disclosure policy.

Built so it can't do the bad thing. Start the trial.

Status page lives at /status · Probed every 15 minutes