He Whare OraHe Whare Ora Back to home

Legal

Security

Last updated: 19 April 2026

Security is foundational to He Whare Ora. We treat tenant, operator and contractor information as taonga and design the Platform to protect it at every layer.

Architecture

  • Row Level Security (RLS) on every table — access is enforced in the database, not just the app.
  • Role-aware access: Platform Admin, Property Operator, Tenant and Contractor roles are stored in a dedicated roles table and checked through security-definer functions to prevent privilege escalation.
  • Server-side authentication: sessions and role checks happen on the server, never in browser storage.
  • Tenant-first isolation: a tenant can only see their own tenancy, communications and tickets.

Encryption

  • All traffic is encrypted in transit using TLS 1.2+.
  • Data is encrypted at rest by our infrastructure providers.
  • Payment card data never touches our servers — Stripe handles PCI scope on our behalf.

Operations

  • Automated backups with point-in-time recovery for the production database.
  • Webhook and edge-function logs are retained for diagnostics and incident response.
  • Least-privilege access for the engineering team, with access reviewed periodically.
  • Dependencies are continuously scanned for vulnerabilities.

Incident response

If we become aware of a security incident affecting your data, we will notify the affected operator and (where required) the Office of the Privacy Commissioner without undue delay, in line with the Privacy Act 2020 notifiable breach scheme.

Responsible disclosure

If you believe you have found a security issue in the Platform, please email mahi@coruscant.ch with details and steps to reproduce. We commit to acknowledging reports within 3 business days, keeping you updated, and not pursuing legal action against good-faith researchers who:

  • Do not access, modify or delete data belonging to other users.
  • Do not perform denial-of-service or social engineering attacks.
  • Give us a reasonable opportunity to remediate before public disclosure.

Your role

Use a strong, unique password, keep your devices up to date, and be cautious of phishing emails. We will never ask you to share your password.