Security built for real estate transaction data.

Encryption at Rest & In Transit

All data transmitted to and from CloudCoord is encrypted using TLS 1.2+. Data stored in our database is encrypted at rest using AES-256. This includes all documents, transaction records, contact information, and communications.

Data Isolation — Row-Level Security

CloudCoord uses Supabase with Row-Level Security (RLS) enforced at the database layer. This means the database itself enforces that you can only access your own transactions and documents — even a bug in our application code cannot expose another agent's data to you.

Every database query is scoped to the authenticated user's ID. RLS policies are active on all tables containing user data, providing logical isolation at the data layer for every user and team.

Tamper-Proof Audit Trail

Every action on a CloudCoord transaction — document uploads, field edits, contingency changes, sent emails — is recorded in an immutable activity log. The log is enforced at the database layer with triggers that block updates and deletes, even for our own backend systems. Forensic deletion requires a privileged administrative procedure that is itself logged separately. This is the foundation for compliance, dispute resolution, and audit defensibility.

Document Security Pipeline

CloudCoord implements a five-layer security pipeline for all uploaded documents:

1. Input sanitization to strip hidden text and embedded scripts
2. Injection pattern detection to prevent prompt manipulation
3. Privileged instruction boundaries during AI processing
4. Output schema validation to ensure structured, predictable results
5. Rate limiting (20 requests per hour per user) with all security events logged for review

AI and Your Data

CloudCoord uses the Anthropic Claude API to process documents and generate communications. Anthropic does not use API-submitted data to train their models. Your documents are processed transiently and are not retained by Anthropic after processing.

Document Handling

Uploaded documents are stored in an isolated, private storage bucket. Documents are never publicly accessible. Access requires an authenticated session tied to the owning agent's account.

Authentication

User sessions are managed through our authentication provider with secure, short-lived tokens. Password reset links expire within 30 minutes and are single-use. We support Google OAuth for agents who prefer to sign in with their Google account.

Gmail Integration

When you connect your Gmail account, CloudCoord requests two specific permissions:

• Read access (gmail.readonly) — to identify and process transaction-related emails. CloudCoord extracts key transaction details (deadlines, parties, prices) and stores PDF attachment contents from your inbox to build your transaction memory.
• Compose and send access (gmail.compose) — to create email drafts in your Gmail account and, with your explicit review and approval of each individual message, send them on your behalf. Recipients see emails as coming directly from you.

CloudCoord never sends emails without your explicit per-message review and approval. We process and store data only from emails related to your active or closed transactions. You can disconnect Gmail at any time from Account & Data Controls. For full deletion of CloudCoord's extracted data, contact security@cloudcoordinator.io and we will process the request within 7 days.

Infrastructure

CloudCoord is hosted on professional cloud infrastructure providers that maintain SOC 2 Type II compliance. Our application hosting, database, and storage providers each undergo annual independent security audits. CloudCoord benefits from the security controls of these providers but does not independently hold SOC 2 or ISO 27001 certifications. User data is logically isolated via row-level security policies enforced at the database layer. Specific provider details are available to brokerage and team customers under NDA.

Responsible Disclosure

If you discover a security vulnerability, contact us at security@cloudcoordinator.io. We take all reports seriously and respond within 24 hours.