All PropOps data is hosted on UK-based servers. No personal data is transferred outside the United Kingdom.
Protection at a glance
Encryption in transit
All connections to PropOps use HTTPS. HTTP traffic is automatically redirected to HTTPS, and HSTS headers instruct browsers to enforce secure connections at all times.
PII encryption at rest
Personal data is encrypted inside the database using XSalsa20-Poly1305 — a modern authenticated cipher. Even if the raw database were accessed, personal details would be unreadable without the encryption key.
Password security
Passwords are stored using bcrypt hashing and are never held in plain text. PropOps also runs scheduled checks against the HaveIBeenPwned breach database to detect compromised credentials.
Session management
Sessions expire automatically and can be revoked remotely. Web sessions last 2 hours with a 30-minute idle timeout. Remember Me sessions last 30 days.
Rate limiting
All API endpoints enforce rate limits. Requests that exceed the limit receive an HTTP 429 response and must wait before retrying. This protects against brute-force and automated abuse.
File integrity monitoring
An automated check runs every hour to verify that application files have not been tampered with. Any unexpected change raises an alert for your security team.
Security headers
Every response includes headers that protect against common web attacks:
X-Content-Type-Options, X-Frame-Options: DENY, Strict-Transport-Security, and a Content Security Policy.Audit logging
All data access and modification events are logged with a timestamp and the identity of the acting user. Logs are available to administrators for review and incident investigation.
Data encrypted at rest
PropOps encrypts personal data at the field level using XSalsa20-Poly1305 (authenticated encryption). Encrypted values are stored with a version prefix so the system can transparently decrypt them on read. The following data is encrypted inside the database:| Category | Data encrypted |
|---|---|
| Account details | First name, last name, email address |
| Addresses | Address lines, city, county, postcode, country |
| Job contacts | Private contact name, phone number, email, and property access details |
| Case notes | The full content of every case note message |
| Tenant details | Tenant name, primary number, work number, email |
| Contractor details | Company name, VAT number |
Password security
Your password is stored using bcrypt — an adaptive hashing algorithm that is computationally expensive to reverse. Plain-text passwords are never stored. PropOps also runs regular checks against the HaveIBeenPwned breach database using a privacy-preserving technique (k-anonymity): only the first five characters of a hashed password are sent for comparison, so your actual password is never transmitted. If a match is found, your account sessions are immediately invalidated and you receive a password-reset email.Session lifetimes
| Session type | Duration |
|---|---|
| Web browser (active) | 2 hours |
| Web browser (idle) | 30 minutes |
| Remember Me | 30 days |
| Mobile / desktop app | Long-lived (managed separately) |
Security headers
PropOps sends the following HTTP security headers on every response:| Header | Effect |
|---|---|
X-Content-Type-Options: nosniff | Prevents browsers from interpreting files as a different MIME type |
X-Frame-Options: DENY | Blocks your pages from being embedded in iframes (clickjacking protection) |
Strict-Transport-Security | Instructs browsers to only connect over HTTPS |
Content-Security-Policy | Restricts the sources from which scripts, styles, and other resources can load |
Referrer-Policy: strict-origin-when-cross-origin | Limits referrer information sent to third-party sites |
Audit logging
Every read and write operation on personal data is recorded in the activity log, along with:- The identity of the user who performed the action
- The timestamp
- The type of action (view, create, update, delete)