Skip to content
AM Open House
Start
Security

Your data, defended.

Real-estate transactions move sensitive information through brokerages every day. AM Open House treats that data as the brokerage's property, defended by the same posture we expect of our own infrastructure providers.

Contact security Privacy policy
Posture

How we operate, in detail.

Encryption

All data is encrypted at rest with AES-256 and in transit with TLS 1.2 or higher. Database backups inherit the same encryption posture. Encryption keys are managed in Cloudflare's KMS with rotation on a fixed schedule.

Data residency

Customer data is stored in United States regions only. Visitor records, account data, and analytics never replicate to non-US infrastructure. Brokerage clients receive a written attestation on request.

Network and application security

Cloudflare WAF on every public endpoint. Strict CSP, HSTS, and CORS posture. Request signing on the API. Rate limiting on auth and write paths. Bot management on visitor-facing kiosks.

Authentication

Passwordless magic-link sign-in for end users. Time-bound tokens, single-use. Brokerage admin accounts support hardware keys (WebAuthn) and SSO via SAML on the Brokerage tier.

Audit and access logging

Every administrative action is logged with actor, timestamp, IP, and user agent. Brokerage admins can export the full audit log at any time. Logs are retained for the duration set by the brokerage.

Sub-processors

We name our sub-processors openly. Cloudflare for compute, storage, and network. SendGrid for transactional email. Square for billing. A current list with addresses and roles is maintained on the privacy page.

Compliance

Honest status on every framework.

We do not claim certifications we have not earned. Below is the current status. Updated when it changes, not when convenient.

SOC 2 Type II
In progress
Audit underway. Target completion Q3 2026.
GDPR readiness
Operational
DPA available. Data subject requests honored within 30 days.
CCPA readiness
Operational
Consumer access and deletion endpoints live.
Bug bounty
Planned
Public program targeted for Q4 2026. Contact security@ in the interim.
Sub-processors

Named, openly.

We use a small set of vetted sub-processors. Each has a documented role, a data-processing agreement on file, and a defined retention boundary.

Cloudflare
Compute, storage, network, DNS, WAF
US regions
SendGrid (Twilio)
Transactional email delivery
US regions
Square
Subscription billing and card tokenization
United States
Sentry
Application error monitoring
United States

The full list with addresses, DPAs, and contact information is available on request to [email protected].

Incident response

Security incidents are taken seriously and handled in writing. Suspected vulnerabilities should be reported to [email protected]. We acknowledge within one business day, investigate within five, and notify affected customers consistent with applicable law and contractual commitments. Brokerage clients receive a postmortem in writing for any incident touching their data.

Read the privacy policy