Security

• Email + password auth provided by Supabase, with bcrypt password hashing.
• Session cookies are HTTP-only and secure; refreshed on every request via a server-side proxy middleware.
• Password reset flows are rate-limited and use time-boxed one-time codes.

• Row-level security on every tenant table — users can only read/write rows they own or are invited to.
• Admin endpoints are gated on a server-checked admin role and a separate service-role key that never ships to the browser.

• We don’t store lock manufacturer credentials. All lock operations go through Seam, which holds the sensitive creds in its workspace.
• Every lock/unlock is signed, attributed to a user, and written to an immutable activity log.
• Webhooks from Seam are signature-verified before they’re accepted.

• All payment details are handled by Stripe. We never see or store card numbers.
• Stripe webhooks are verified with a signing secret before updating subscription state.

• Hosted on Vercel (app) and Supabase (database). Both providers meet SOC 2 Type II.
• Traffic is encrypted end-to-end. No personal data is logged in application logs.
• We minimise blast radius by using scoped API keys and environment isolation between staging and production.

Found a vulnerability? Email security@turnqey.com.au. We’ll acknowledge within 72 hours and keep you informed until it’s resolved. Please don’t publicly disclose while we’re fixing.