Our Commitment to Security. At Home Insight Pro (operated by Vertex Infrastructure Holdings, LLC), protecting your data is a core business priority. This policy outlines the technical and organizational security measures we implement across our platform to safeguard your personal and property information.
1. Encryption in Transit
All communications between your browser and our servers are encrypted using industry-standard Transport Layer Security (TLS):
- TLS 1.2 and TLS 1.3 are the only protocols accepted. Older, insecure protocols (SSLv3, TLS 1.0, TLS 1.1) are disabled.
- HSTS (HTTP Strict Transport Security) is enforced with a max-age of one year, including subdomains, preventing protocol downgrade attacks.
- Our TLS configuration uses strong cipher suites that provide forward secrecy (ECDHE key exchange).
- All HTTP requests are automatically redirected to HTTPS.
2. Password Security
We enforce a robust password policy to protect user accounts:
Minimum Length
12 characters minimum, well above the industry standard of 8.
Complexity Requirements
Must include uppercase, lowercase, numbers, and special characters.
Common Password Blocking
Known compromised and commonly used passwords are rejected during registration.
Pattern Detection
Sequential characters (abc, 123) and repeated patterns (aaa) are detected and blocked.
- Passwords are hashed using bcrypt with a high work factor. Passwords are never stored in plaintext and cannot be recovered — only reset.
- Real-time password strength feedback is provided during account creation.
3. Payment Security
PCI DSS Compliant. Home Insight Pro does not store, process, or transmit credit card data. All payment processing is handled by Stripe, a PCI DSS Level 1 certified service provider — the highest level of payment security certification.
- Payment forms are hosted and rendered entirely by Stripe (Stripe Checkout). Card data never touches our servers.
- We maintain PCI DSS compliance at the SAQ-A level (merchants that fully outsource cardholder data functions).
- Stripe handles tokenization, encryption, and secure storage of payment methods.
- We store only non-sensitive identifiers (Stripe customer ID, subscription ID) for order management.
4. Authentication and Access Control
4.1 Token-Based Authentication
- User sessions are managed with signed JSON Web Tokens (JWTs) with short expiration windows.
- Separate authentication systems are maintained for homeowner/buyer users and trade professional users, preventing cross-system token reuse.
- Tokens include issuer validation to prevent forgery across user types.
4.2 Account Lockout
- Accounts are temporarily locked after 5 consecutive failed login attempts.
- Lockout duration is 30 minutes, with failed attempts tracked within a 15-minute rolling window.
- Lockout events are logged for security monitoring.
4.3 Rate Limiting
| Endpoint | Limit | Window |
|---|
| Login | 5 requests | Per minute |
| Registration | 3 requests | Per hour |
| Password Reset | 3 requests | Per hour |
| General API | 100 requests | Per minute |
Rate limits are applied per IP address and per account identifier. Exceeding limits results in temporary blocking with appropriate error messages.
4.4 Administrative Access
- Administrative functions (trade professional verification, pending update review) require a separate admin role and are protected by role-based access controls.
- All administrative actions are logged in the audit trail.
5. Audit Logging
We maintain comprehensive audit logs for security-relevant events:
- Authentication events: Successful logins, failed login attempts, account registrations, and account lockouts.
- Data access: Property report views and search queries.
- Data modifications: Property data updates from homeowners, trade professionals, and AI enrichment.
- Administrative actions: Trade professional verification decisions and update approvals.
Each audit record includes a timestamp, the action performed, the user involved, the IP address, and the user agent. Audit logs are retained for a minimum of 7 years in accordance with PCI compliance requirements.
6. HTTP Security Headers
Our web servers are configured with the following security headers on all responses:
| Header | Value | Purpose |
|---|
| Strict-Transport-Security | max-age=31536000; includeSubDomains; preload | Enforce HTTPS for 1 year |
| X-Content-Type-Options | nosniff | Prevent MIME type sniffing |
| X-Frame-Options | DENY | Prevent clickjacking |
| Referrer-Policy | no-referrer | Prevent referrer leakage |
| Permissions-Policy | camera=(), microphone=(), geolocation=() | Restrict browser feature access |
| X-XSS-Protection | 1; mode=block | Legacy XSS filter (defense in depth) |
| Content-Security-Policy | (Strict allowlist) | Prevent code injection and XSS |
Our Content Security Policy (CSP) uses a strict allowlist approach, permitting scripts, styles, fonts, images, and connections only from our own domain and the specific third-party services we use (Stripe, Google Maps).
7. CSRF Protection
Cross-Site Request Forgery protection is implemented as middleware on our API. State-changing requests require valid CSRF tokens or are restricted to authenticated API calls with bearer tokens, preventing unauthorized actions on behalf of authenticated users.
8. Data Priority and Integrity
Property data is managed with a priority system that ensures the most reliable sources take precedence:
- Verified Trade Professional (highest priority) — Data submitted by admin-verified licensed contractors.
- Pending Trade Professional — Data from registered but not-yet-verified trade professionals.
- Homeowner — Data submitted by homeowners who have claimed the property.
- AI-Enriched (lowest priority) — Data extracted from public records via our AI system.
Every field update is logged in an immutable audit trail with the old value, new value, source, and timestamp.
9. Infrastructure Security
- Cloud Hosting: The Service is hosted on Amazon Web Services (AWS) EC2 instances in the US, benefiting from AWS's SOC 2, ISO 27001, and PCI DSS certifications.
- Firewall: Network-level security groups restrict inbound traffic to HTTPS (443) and SSH (22, restricted to specific IPs) only.
- Nginx Reverse Proxy: A hardened Nginx configuration with rate limiting, DDoS mitigation, and TLS termination sits in front of the application.
- Process Isolation: The application runs as a dedicated service user with minimal filesystem permissions.
- Dependency Management: Dependencies are pinned to specific versions and regularly reviewed for known vulnerabilities.
10. Vulnerability Management
- We regularly review and update third-party dependencies for known security vulnerabilities.
- Server operating system and software packages are kept up to date with security patches.
- We perform periodic security reviews of our application code and infrastructure configuration.
- If you discover a security vulnerability, please report it to info@nrir.net. We take all reports seriously and will respond promptly.
11. Incident Response
In the event of a security incident:
- Detection: Audit logs, rate limiting alerts, and system monitoring are used to detect anomalous behavior.
- Containment: Affected accounts or systems are immediately isolated to prevent further exposure.
- Investigation: The incident is thoroughly investigated to determine scope and root cause.
- Notification: Affected users will be notified within 72 hours as required by applicable breach notification laws (including California Civil Code § 1798.82).
- Remediation: Vulnerabilities are patched and preventive measures are implemented.
- Documentation: All incidents are documented with lessons learned to improve future security posture.
12. Employee and Contractor Access
- Access to production systems and databases is restricted to authorized personnel on a need-to-know basis.
- Administrative access requires multi-factor authentication where supported by the infrastructure provider.
- Access credentials are rotated regularly and revoked immediately upon role change or departure.
13. Data Backup and Recovery
- Database backups are performed automatically on a regular schedule.
- Backups are encrypted and stored in a geographically separate location from the primary infrastructure.
- Recovery procedures are tested periodically to ensure data can be restored in a timely manner.
14. Compliance
Our security program is designed to align with the following standards and regulations:
- PCI DSS (SAQ-A): For payment card industry compliance as a merchant that fully outsources cardholder data processing to Stripe.
- CCPA/CPRA: California Consumer Privacy Act compliance for personal data handling. See our Privacy Policy for details.
- OWASP Top 10: Our application is designed with the OWASP Top 10 security risks in mind, including injection prevention, broken authentication protection, and security misconfiguration hardening.
15. Policy Updates
This Information Security Policy is reviewed and updated at least annually, or more frequently when significant changes occur in our technology stack, threat landscape, or regulatory environment. Material changes will be communicated through our website.
16. Contact
For security inquiries, vulnerability reports, or questions about this policy:
- Email: info@nrir.net
- Mail: Vertex Infrastructure Holdings, LLC dba Home Insight Pro, 3704 Beckets Crown Ct, Mustang, OK 73064