Security and Trust

StreetScout, Inc. ("StreetScout") helps buyers, homeowners, real estate agents, and brokerages review HOA documents, store governing records, and draft response letters. This page summarizes how we protect that data. It is written to reflect what the product does today. Where a control is planned rather than live, we say so plainly so you can assess us accurately.

Data encryption

• In transit: All traffic to StreetScout is encrypted with TLS (HTTPS). We do not serve application content over unencrypted connections.
• At rest: Your database records and uploaded files are stored on managed infrastructure (Supabase, backed by enterprise cloud providers) that encrypts data at rest using industry-standard AES-256.
• Application-layer document encryption: Our platform additionally supports envelope encryption (AES-256-GCM) for uploaded documents at the application layer. This is available for accounts and engagements that require it.

Access control and isolation

• Tenant isolation: Customer data is isolated per account using row-level security (RLS) enforced at the database. A user's documents, cases, and reports are scoped to their own account and are not visible to other customers.
• Least privilege: Access to production systems and customer data is limited to the small number of personnel who need it to operate the service.
• File storage: Uploaded documents live in private storage buckets. Access is scoped to the owning account; files are not publicly listable.

Authentication

• Sign-in methods: We support email and password sign-in, OAuth providers, and passwordless passkeys (WebAuthn / FIDO2), which are phishing-resistant and bound to your device.
• Sessions: Sessions are managed with secure, HTTP-only cookies and are refreshed server-side.
• Two-factor authentication (MFA): Authenticator-app (TOTP) two-factor authentication and enforced MFA are available for brokerage and enterprise organizations, so every member must present a second factor to sign in. Contact us to turn on MFA enforcement for your workspace.
• On our roadmap: Single sign-on (SSO / SAML) for brokerage and enterprise workspaces. If your organization requires SSO before onboarding, contact us so we can prioritize and scope a timeline with you.

AI processing and your documents

StreetScout uses AI to analyze documents and draft letters. We want to be precise about how your content is handled:

• We do not train AI models on your documents. Content you upload or generate is used to fulfill your request (for example, analyzing a notice or drafting a letter). It is not used to train or fine-tune our models or our AI provider's models.
• Provider: AI analysis and generation are performed by Anthropic (Claude). Documents and case content you submit are transmitted to Anthropic solely to process your request. Under Anthropic's commercial API terms, this data is not used to train its models.
• Scope: Your documents are processed only to provide features you ask for. They are not sold and are not shared with other customers.

Hosting and infrastructure

StreetScout runs on managed cloud infrastructure. The application is hosted on Netlify, the database, authentication, and file storage are provided by Supabase, and payments are handled by Stripe. These providers operate hardened, SOC-2-aligned environments. A complete list of the third parties that process customer data is on our Subprocessors page.

Data retention and deletion

• Retention: We retain your account and case data for as long as your account is active.
• Self-service deletion: You can delete your account and associated data yourself from Settings, or by emailing privacy@streetscout.ai. We remove your personal data within 30 days of a verified request, except where retention is required by law. Residual copies in encrypted backups age out on our standard backup rotation.
• Data export: You can export a copy of your account data (profile, cases, documents, letters, and reports) as a JSON file from Settings at any time.
• Aggregated data: Anonymized, aggregated enforcement data that can no longer be tied to an individual may be retained to power neighborhood intelligence features.

See the Privacy Policy for full details on what we collect and how we use it.

Incident response

We maintain an incident response process that covers detection, triage, containment, and recovery. If a security incident affects your data, we will investigate promptly, take steps to contain it, and notify affected customers and regulators where required by applicable law, consistent with our notification timelines. After resolution, we conduct a review to reduce the chance of recurrence.

Administrative controls

• Audit logging: Privileged administrative actions are recorded in an internal, append-only audit log (for example, account status changes and support access events).
• Support access: When support staff need to access an account to resolve an issue, that access is gated and recorded.
• On our roadmap: Customer-visible activity logs and exportable account audit trails for brokerage administrators.

Responsible disclosure

If you believe you have found a security vulnerability, please report it to security@streetscout.ai. Include enough detail to reproduce the issue. We will acknowledge your report, investigate, and keep you updated. Please give us a reasonable opportunity to remediate before any public disclosure, and do not access, modify, or delete data that is not your own.

Security FAQ

Answers to the questions brokerages and security teams ask most often. For a full questionnaire response or a copy of our subprocessor list, contact enterprise@streetscout.ai.

Contact

Security questions or questionnaire requests: security@streetscout.ai or enterprise@streetscout.ai.