No homeowner PII, ever
The properties table is schema-locked against owner names, owner mailing addresses, and phone numbers. The TCAD bulk parser drops those fields at parse stage; they never reach the database. An automated check blocks any deploy that tries to add one back.
One customer can't see another
Per-customer data isolation is enforced inside the database itself, not just in app code. Subscribers, alerts, territories, and webhook deliveries are all scoped at the row level. An application-layer bug cannot accidentally leak another customer's data.
Append-only TCPA consent log
Every opt-in is written to an append-only ledger with the exact consent text version, IP, user agent, timestamp, and the phone number consenting. We can produce the exact record any regulator or carrier might ask for, including the consent text shown at the time.
Defense-in-depth synthetic isolation
The 15-minute synthetic monitoring probe is kept out of real customer territories by four independent guards: origin flag on the incident row, geofenced bbox the territory tool refuses to overlap, phone allowlist on the SMS wrapper, and a routing assertion that quarantines any cross-leak.
Encryption at rest and in transit
Customer data is encrypted on disk (AES-256) and across the network (TLS 1.2+). The site is served over HTTPS only. Database credentials are scoped per environment, with no shared keys between staging and production.
Webhook delivery is signed
Outbound webhooks are signed with HMAC-SHA256 over the request body. Signatures are tied to a rotatable per-destination secret you control. We retry with exponential backoff and surface every delivery attempt in the dashboard.