How we protect your data

Bricks PM stores all customer data in Frankfurt, Germany on AWS infrastructure managed by Supabase. Frankfurt is one of the most regulated, enterprise-grade data jurisdictions in the world, governed by the EU General Data Protection Regulation (GDPR).

We are committed to migrating customer data to the Middle East (Bahrain) AWS region as soon as it becomes available on our infrastructure plan. This brings data physically closer to UAE users and aligns with the UAE Personal Data Protection Law (PDPL, Federal Decree-Law No. 45 of 2021) data localisation guidance for customer-facing services.

Every byte of your data is encrypted in two places. In transit, we use TLS 1.2+ for every connection between your browser, our servers, and the database. At rest, the database is encrypted using AES-256, the same standard used by banks and government systems.

Documents you upload (Emirates IDs, passports, leases, title deeds) are stored in encrypted object storage with strict per-workspace access controls.

Bricks PM is a multi-tenant platform — your workspace shares infrastructure with other agencies for cost and reliability reasons, but is logically isolated at the database layer using PostgreSQL Row-Level Security (RLS).

Every query against your data is automatically filtered by your workspace identifier. There is no application code path — including mistakes by our engineers — that can return data from a different agency’s workspace. This is enforced by the database itself, not the application.

Passwords are hashed using bcrypt with per-user salts. We never store or transmit cleartext passwords. Sessions are signed and expire automatically.

Access to your workspace requires both a verified email and explicit membership; landlords and tenants enter only via single-use, time-limited invitations from your agency. Two-factor authentication (TOTP) and platform single sign-on are on the roadmap for the quarter.

Every meaningful action in your workspace — invites sent, leases created or modified, payments recorded, settings changed — is recorded in an append-only audit log. Agency admins can export this log on request.

Our infrastructure providers maintain the following independent attestations, which extend to the data we store on your behalf:

• SOC 2 Type II (security, availability, confidentiality)
• ISO 27001 (information security management)
• ISO 27701 (privacy information management)
• HIPAA-eligible infrastructure (we do not handle PHI today)
• GDPR (EU data residency under Frankfurt)

Bricks PM itself is targeting SOC 2 Type I attestation within twelve months of paid launch. We will publish progress publicly on this page.

UAE Federal Decree-Law No. 45 of 2021 grants every individual whose data we process the following rights:

• The right to know what data we hold about you
• The right to request correction of inaccurate data
• The right to request deletion of your data
• The right to receive your data in a portable format
• The right to object to certain types of processing
• The right to file a complaint with the UAE Data Office

Tenants and landlords can request any of these directly from their agency, who can fulfil them through Bricks PM’s built-in tools. Agencies can request the same from us.

When you delete a record, it is soft-deleted for 30 days to allow recovery from accidental deletion, then hard-deleted permanently. When an agency closes its workspace, all data is hard-deleted within 30 days of cancellation, with the option to receive an export first.

Backups are retained for 7 days on a rolling basis. Deletion requests propagate to backups within that window.

We use the following sub-processors, each under a Data Processing Agreement:

• Supabase — database, auth, file storage (Frankfurt)
• Vercel — application hosting and CDN (global edge)
• Resend — transactional email delivery
• Sentry — error monitoring (no PII)
• Stripe — agency subscription billing only

For privacy questions, data subject requests, or security disclosures, contact privacy@brickspropertymanager.com.