Trust & Safety

Security

Last updated: March 25, 2025

Your family's property data is sensitive. We've built Dwelly on infrastructure specifically chosen for its security track record, and we follow industry best practices at every layer.

🔐

Encryption in transit

All data between your device and Dwelly is encrypted using TLS 1.2 or higher. We enforce HTTPS across the entire app.

🗄️

Encryption at rest

Your data is stored in Supabase, which encrypts all data at rest using AES-256, the same standard used by financial institutions.

🔑

Password security

Passwords are hashed using bcrypt before storage. We never store plain-text passwords and cannot retrieve yours — only reset it.

💳

PCI-compliant payments

Payments are processed entirely by Stripe, a PCI-DSS Level 1 certified provider. Dwelly never stores your full card details.

🛡️

Access controls

Each property's data is accessible only to verified co-owners of that property. Users cannot access data from properties they haven't been invited to.

☁️

Secure infrastructure

Dwelly runs on Vercel and Supabase, both of which maintain SOC 2 compliance and operate on AWS with enterprise-grade physical security.

Our Infrastructure Partners

We deliberately chose hosting and database providers with strong security track records rather than building infrastructure from scratch. Here's what each provider brings to your security:

Supabase handles our database, authentication, and file storage. It runs on AWS (us-west-2) and provides row-level security, which means database access rules are enforced at the database level — not just in our application code. Supabase maintains SOC 2 Type II compliance.

Vercel hosts the Dwelly application. Vercel provides DDoS protection, automatic HTTPS, and edge network infrastructure that keeps the app fast and resilient. Vercel is SOC 2 Type II compliant.

Stripe handles all payment processing. Stripe is a PCI-DSS Level 1 Service Provider — the highest level of payment security certification. Your card details go directly to Stripe and never touch Dwelly's servers.

Authentication

Dwelly uses Supabase Auth for account management, which supports:

Email and password sign-in with bcrypt password hashing
Google OAuth sign-in
Secure session tokens with automatic expiration
Email verification for new accounts
Secure password reset via email link

Data Isolation

Each Dwelly property is a contained data environment. Co-owners can only view and edit data within properties they have been explicitly invited to. We use Supabase's row-level security (RLS) policies to enforce this at the database level, providing an additional security layer beyond application-level access controls.

What We Don't Do

We do not sell your data to third parties
We do not store plain-text passwords
We do not store full credit card numbers or CVV codes
We do not use your data for advertising
We do not share your property data with anyone outside your co-owner group

Reporting a Security Issue

If you discover a potential security vulnerability in Dwelly, please report it to us responsibly before disclosing it publicly. We take all security reports seriously and will respond promptly.

Please email security concerns to hello@dwelly.com with "Security" in the subject line. Include as much detail as possible about the issue and how to reproduce it. We will acknowledge your report within 48 hours and keep you updated as we investigate.

We ask that you give us reasonable time to address the issue before any public disclosure, and that you do not access, modify, or delete any data that does not belong to you during your research.

Keeping Your Account Secure

Security is a shared responsibility. Here's what you can do to protect your Dwelly account:

Use a strong, unique password for your Dwelly account
Do not share your login credentials with anyone, including co-owners (they should have their own accounts)
Sign out of Dwelly when using shared or public devices
Contact us immediately at hello@dwelly.com if you suspect unauthorized access to your account

Security questions or concerns?

For security-related inquiries, vulnerability reports, or questions about how we protect your data:

hello@dwelly.com — include "Security" in the subject line

We aim to respond to all security reports within 48 hours.