Proppi
Log in Start a job

Security at Proppi

Your property documents often contain personal information about you, your tenants, and other parties. This page explains, in plain language, how we keep that data safe. The legal version of these commitments lives in our privacy policy and terms of service.

Encryption

  • In transit. All traffic between your browser, our services, and our sub-processors is protected by TLS (HTTPS).
  • At rest. Documents, database records, and backups are encrypted at rest by our infrastructure provider.
  • Sensitive credentials. Multi-factor authentication secrets and recovery tokens are encrypted with rotating keys.
  • Passwords. Passwords are stored as salted one-way hashes — we never store, see, or transmit them in plain text.

Access control

  • Authentication required. Every document and every conversation lives behind an account login. Public links and unauthenticated access to user data are not features of the product.
  • Role-based sharing. When you invite team members to a property or portfolio, you choose whether they are an owner, editor, or viewer. Each role grants only the permissions it needs.
  • Multi-factor authentication. MFA is available on every account. We strongly recommend enabling it.
  • Internal access. Our staff do not access your documents in the course of normal operations. Where access is needed for technical support, we do so with your written consent or where required by law, and we keep an audit record.

How AI handles your data

Proppi uses third-party AI services to perform optical character recognition, document classification, entity extraction, and conversational search. Three commitments apply across every AI provider we use:

  • No training on your content. Our AI sub-processors operate under data-processing agreements that prohibit using your documents or queries to train their models.
  • No long-term retention by AI providers. We do not enable optional retention features. AI providers process the request and return a result; they do not keep your content as a separate stored copy.
  • Server-side citation filtering. When the AI cites a source document in an answer, our server checks that the document actually belongs to your account before showing the citation. The model cannot fabricate access to documents you have not uploaded.

Sub-processors

We rely on a small set of managed cloud, AI, payment, and email providers to operate the service. We change providers from time to time as the technology and our needs evolve, so the public list of specific vendors lives in a separately maintained register rather than in this page. A current list of sub-processors, including the countries in which they operate, is available on request — email privacy@proppi.ai.

Every sub-processor is bound by a data-processing agreement that requires standards consistent with the New Zealand Privacy Act 2020 and the Australian Privacy Principles.

Infrastructure

  • Managed hosting. Proppi runs on managed cloud services that hold independent security certifications (SOC 2 Type II or equivalent) for the underlying platform.
  • Regular updates. We patch our application dependencies on an ongoing basis and rely on managed services for operating-system and database patching.
  • Backups. Database backups are taken automatically by our infrastructure provider, encrypted, and retained on a rolling window.

Your data, your control

  • Export. You can download your original uploaded documents at any time from inside the app.
  • Delete. You can delete individual documents at any time, or contact us to delete your entire account. Deletion removes the document from our database, file storage, and search index.
  • No sale, no advertising. We do not sell your personal information and we do not show third-party advertising.

Responsible disclosure

If you believe you have found a security vulnerability in Proppi, we appreciate a quiet heads-up so we can fix it before it is exploited.

  • Email security@proppi.ai with a description of the issue, the steps to reproduce, and any proof-of- concept material.
  • Please give us a reasonable window to investigate and remediate before any public disclosure.
  • Do not access, modify, or delete data that does not belong to your own account, and do not run automated scanners against the production service.
  • We do not currently run a paid bug-bounty programme, but we will acknowledge your report, keep you updated on our progress, and credit you in our release notes if you would like.

Reporting an incident affecting your account

If you believe your Proppi account has been accessed without your permission — for example, you spot a login you do not recognise — change your password, enable multi-factor authentication, and email security@proppi.ai with the details. We will help you investigate and lock the account down.

What this page is not

This page describes the security measures we apply to the service. It is not a substitute for the privacy policy (which sets out the legal framework for how we handle personal information) or the terms of service (which set out the agreement between you and us). Where the wording differs, those documents govern.

Get in touch

Security questions, vendor-due-diligence requests, or sub-processor-list requests can be sent to security@proppi.ai.