Afora.

Security at Afora

Effective date: July 10, 2026 · Last updated: July 10, 2026 · Version 1.0

Afora handles two of the most sensitive things a brokerage has — its email and its money movement records. This page describes, plainly, how we protect them. Questions or concerns: security@aforademo.com.

Encryption

Access control

Infrastructure and subprocessors

Afora runs on established cloud infrastructure: Vercel (application hosting), Supabase (database, US region), Clerk (authentication), Anthropic (AI processing), and Plaid (bank connectivity). Each vendor is listed with its purpose on our Subprocessor list, each maintains its own independent security program and publishes its own audit reports and certifications on its trust portal (for example security.plaid.com and trust.anthropic.com), and each is bound by contract to use customer data only to provide its service to Afora.

AI data handling

Wire-fraud and payment-instruction safety

Email-based wire fraud is the dominant financial threat in real estate, so we treat it as a first-class design constraint:

Compliance posture

We are a small team and we describe our posture honestly:

Data durability and retention

Incident response

We maintain a written incident-response plan. If an incident affects your data, we will notify you without undue delay — within 48 hours of confirmation for personal-data breaches (per our DPA) — with what we know, what we've done, and a contact who can answer questions.

Reporting a vulnerability

We welcome good-faith security research. Report issues to security@aforademo.com (or see /.well-known/security.txt). Include steps to reproduce; we will acknowledge within 3 business days, keep you informed, and not pursue legal action for good-faith research that respects user privacy and avoids service disruption. Please do not access data that isn't yours or degrade the service. No bug bounty is offered at this time; we credit reporters who want it.