Security at Afora
Effective date: July 10, 2026 · Last updated: July 10, 2026 · Version 1.0
Afora handles two of the most sensitive things a brokerage has — its email and its money movement records. This page describes, plainly, how we protect them. Questions or concerns: security@aforademo.com.
Encryption
- All traffic is encrypted in transit with TLS 1.2+; HTTPS is enforced everywhere.
- Data is encrypted at rest with AES-256 in our database and storage layers.
- OAuth tokens and integration credentials are additionally encrypted at the application layer (AES-256-GCM) before storage, so raw tokens never sit in the database.
Access control
- Customer data access inside Afora is role-based and scoped to your workspace (tenant). One brokerage's data is never visible to another's.
- All administrative and infrastructure access requires multi-factor authentication.
- Afora personnel do not read customer email or financial data except with your permission, for security investigation, or as required by law — and such access is logged.
- Bank connections use your institution's own login (via Plaid); Afora never sees or stores bank credentials.
Infrastructure and subprocessors
Afora runs on established cloud infrastructure: Vercel (application hosting), Supabase (database, US region), Clerk (authentication), Anthropic (AI processing), and Plaid (bank connectivity). Each vendor is listed with its purpose on our Subprocessor list, each maintains its own independent security program and publishes its own audit reports and certifications on its trust portal (for example security.plaid.com and trust.anthropic.com), and each is bound by contract to use customer data only to provide its service to Afora.
AI data handling
- Your data is never used to train AI models — ours or our providers'. Our agreement with Anthropic prohibits training on customer content.
- Under Anthropic's standard commercial terms, AI inputs and outputs are deleted from Anthropic's systems within 30 days (safety-flagged content may be retained longer under Anthropic's terms).
- AI processing for your workspace uses only your workspace's data.
- Every AI-generated draft or expense entry requires human approval before it is sent or posted.
Wire-fraud and payment-instruction safety
Email-based wire fraud is the dominant financial threat in real estate, so we treat it as a first-class design constraint:
- No payment or banking detail sourced from email content is ever applied automatically. Any change to payee or account information requires explicit human confirmation outside the email thread that requested it.
- Inbound content that attempts to manipulate automated processing (prompt injection, spoofed instructions) is flagged and routed to human review — this control is built and tested, not aspirational.
- High-risk events (bank-detail changes, new payees, connection changes) are audit-logged.
Compliance posture
We are a small team and we describe our posture honestly:
- A SOC 2 Type II audit is on our roadmap [set quarter before publish]; our internal controls (written security policies, access control, incident response, vendor management, retention) are documented and available to customers under NDA on request.
- We complete customer security questionnaires (CAIQ/SIG-Lite style) for prospective customers.
- Our practices are designed to align with the FTC Safeguards Rule's core controls (designated security lead, encryption, MFA, access controls, incident response, vendor oversight) and with the security requirements of our banking (Plaid) and email (Google/Microsoft) platform reviews.
Data durability and retention
- Databases are backed up automatically each day with point-in-time recovery. Backups age out on the provider's fixed schedule. We are formalizing a recurring restore-test cadence and will publish the specifics here once the first logged test completes.
- Brokerage transaction records are retained and exportable for at least 4 years after the underlying transaction — including after you leave Afora — because your books-and-records obligations don't end when a subscription does.
Incident response
We maintain a written incident-response plan. If an incident affects your data, we will notify you without undue delay — within 48 hours of confirmation for personal-data breaches (per our DPA) — with what we know, what we've done, and a contact who can answer questions.
Reporting a vulnerability
We welcome good-faith security research. Report issues to security@aforademo.com (or see
/.well-known/security.txt). Include steps to reproduce; we will acknowledge within 3 business
days, keep you informed, and not pursue legal action for good-faith research that respects user
privacy and avoids service disruption. Please do not access data that isn't yours or degrade the
service. No bug bounty is offered at this time; we credit reporters who want it.