Security

Honest security from a small team building in public.

Domios is a small team. We don't have a marketing wall of compliance badges, and we're not going to pretend we do. What we have is a careful set of choices about how we handle your data — and a willingness to tell you exactly what those choices are, in plain language, so you can verify them instead of just trusting us.

This page is the technical companion to our Privacy Policy and Terms of Service. If anything here doesn't match what you actually experience, email us at security@domios.ai and we'll fix it.

• Password hashing — passwords are stored using Argon2, a modern memory-hard hashing algorithm. We retain Bcrypt verification only for legacy accounts being migrated. Passwords are never stored in plaintext and cannot be recovered, only reset.
• Token-based authentication — API access uses JSON Web Tokens (JWT) signed with HMAC-SHA256. Every token carries issuer and audience claims that are validated on every request.
• Refresh token rotation — refresh tokens are stored only as SHA-256 hashes in the database. Each time a refresh token is used, the old token is immediately revoked and a new one is issued. A stolen refresh token only works once.
• One-time codes for tenant, owner, and vendor login — 6-digit numeric codes with a 5-minute expiration, a 60-second cooldown between requests, and a 5-attempt limit before lockout.
• Failed login lockout — after 5 failed password attempts, the account is locked for 15 minutes.
• Account deletion cooling-off — when you request account deletion, your account is deactivated immediately and your personal information is removed after a 14-day cooling-off period, during which you can cancel the request.

All traffic between your browser or mobile app and our servers is encrypted in transit using HTTPS (TLS 1.2 or higher). API endpoints reject non-HTTPS connections at the reverse proxy layer.

We are working on enforcing HSTS (HTTP Strict Transport Security) headers at the reverse proxy. See Compliance Roadmap.

• Passwords are hashed with Argon2. The original passwords cannot be recovered from the hashes — not by us, not by an attacker who steals the database.
• Refresh tokens are stored as one-way SHA-256 hashes. The original tokens cannot be reconstructed from the database.
• Other personal information (name, email, phone, addresses, work order content, financial records) is protected by infrastructure-level encryption provided by our cloud database and file storage providers, but is not encrypted at the application field level today.
• File uploads (photos, videos, PDFs) are stored in an access-controlled object storage bucket. Each file requires a signed URL to download.

We do not implement application-layer field encryption today. We rely on infrastructure-level encryption from our cloud providers, strict access controls, and audit logging. As we grow, we will revisit field-level encryption for the most sensitive data classes.

Domios uses a small number of trusted third-party providers to operate the platform. We disclose them by category here. The full list of vendor names is available to enterprise customers under NDA as part of due diligence.

• Cloud infrastructure & database — for hosting, managed database, file storage, and caching.
• AI providers — for our AI features (Max, Diana, Henry). API terms with these providers prohibit them from using your data to train their models.
• Email & SMS delivery — for account verification codes, work order notifications, and password resets.
• Push notification delivery — for our mobile apps.
• Maps & geolocation — for property address lookup and map display.
• Error monitoring (optional, mobile only) — for crash reports and error tracking on our mobile apps.

When we add a new subprocessor that will process personal information, we update our Privacy Policy and notify existing customers at least 30 days in advance.

• Role-based access — users are scoped to their property management organization. Cross-organization access is impossible at the database query layer; every query filters by organization.
• Least privilege — within an organization, users have one of four roles (admin, manager, ops, viewer) with different permissions for sensitive operations.
• Operational access — Domios staff access to production data is limited, logged, and used only for support, debugging, or legal compliance.
• Multi-factor authentication — required for all Domios staff accounts on our identity provider, code repository, and cloud consoles.

We log sensitive events so that suspicious activity can be reviewed after the fact:

• Identity changes — email changes, phone changes, password resets, and account deletion requests are recorded with the actor, IP address, and user-agent, retained for 1 year.
• Administrative actions — significant operational actions taken by property management staff (creating leases, dispatching work orders, etc.) are recorded with the actor and timestamp.
• Authentication events — failed logins, rate-limit events, and OTP attempts are logged.

Audit logging is not yet comprehensive across all administrative actions. Expanding coverage is on our roadmap.

Our AI features (Max for tenants, Diana for vendors, Henry for owners) are powered by third-party AI providers, accessed through their API. We chose these providers specifically because their API terms prohibit them from using customer data to train their models.

We do not retain conversation data for AI training, and we do not export any data to any party for AI training purposes. AI suggestions about work order priority, urgency, or trade type are starting points for your property manager to review and adjust — they are not automated decisions about you.

For more detail, see the AI section of our Privacy Policy.

If you believe you have found a security vulnerability in Domios, please email us at security@domios.ai.

We commit to acknowledging your report within 5 business days and providing a substantive response within 15 business days. We will not pursue legal action against good-faith security researchers who report vulnerabilities responsibly and give us a reasonable opportunity to address them before any public disclosure.

We do not currently run a bug bounty program. We do offer public acknowledgment to researchers who report meaningful vulnerabilities.

In the event we confirm a security incident that affects the personal information of our users, we commit to:

• Contain the incident as quickly as possible and revoke any compromised credentials.
• Notify affected users within 72 hours of confirming the breach, providing the nature of the incident, what data was involved, and steps you can take.
• Notify the Massachusetts Attorney General and any other relevant state regulators within the timeframes required by applicable law.
• Document the incident, our response, and lessons learned.

We maintain an internal Written Information Security Program (WISP) as required by Massachusetts 201 CMR 17.00. Enterprise customers can request a copy under NDA.

We're a small team and we don't have third-party audited certifications today. Here is what we're working on, with honest timelines:

• HSTS header enforcement — planned at the reverse proxy layer before our first public production launch.
• Database connection TLS enforcement — adding ssl_mode=REQUIRED to our database connection string, planned before our first public production launch.
• Production debug mode guard — adding a startup check that prevents the backend from starting in production with debug mode enabled. Planned before our first public production launch.
• Shortened access token lifetime — reducing access token expiration from the current value to a maximum of 1 day, relying on refresh token rotation for continued sessions.
• Distributed rate limiting — migrating in-process rate limit counters to Redis before any multi-server deployment.
• Expanded audit log coverage — extending audit logging to cover every administrative action with material impact.
• Anomalous login detection — adding device, geolocation, and time-of-day anomaly detection. Future work, no committed date.
• SOC 2 Type I — we plan to begin SOC 2 readiness in 2027 once we cross the customer threshold where enterprise buyers require it.
• Application-layer field encryption — we'll revisit this for the most sensitive data classes as we grow.

To save you time during due diligence, here is what we honestly do not have today:

• SOC 2 Type I or Type II certification
• ISO 27001 certification
• HIPAA Business Associate Agreement (not applicable to our use case)
• FedRAMP authorization
• Real-time anomaly or fraud detection
• Application-layer field-level encryption for personal information
• A 24/7 staffed security operations center

If any of these are a hard requirement for your organization, we'd rather you know up front than discover it later.

For security concerns or vulnerability reports:

Email: security@domios.ai

For general privacy questions:

Email: privacy@domios.ai