Security

1. Our Security Commitment

Security is foundational to everything we do at Varden. As a property management platform that handles sensitive financial transactions, personal information, and tenant screening data, we take our security responsibilities seriously.

We have built our security program on three core principles: defense in depth, least privilege access, and continuous monitoring. This document outlines the technical and organizational measures we employ to protect your data.

2. Data Encryption

All data transferred within the system is encrypted. Whether users are at their computer or on their smartphone, absolutely nothing goes over the network without encryption. We work promptly to update the system to respond to new vulnerabilities as they are discovered.

2.1 Encryption in Transit

• 256-bit AES encryption for all data in transit
• TLS 1.2 and TLS 1.3 supported for all connections (TLS 1.3 preferred where available)
• ECDHE_RSA Key Exchange Algorithm providing forward secrecy
• HTTPS is enforced for all connections with HTTP Strict Transport Security (HSTS)
• Certificate pinning is implemented in our mobile applications
• We maintain an A+ rating on SSL Labs
• All API endpoints are HTTPS-only with no plaintext HTTP fallback

2.2 Encryption at Rest

All stored data is encrypted using AES-256 encryption:

• Database contents (production and backup)
• File uploads and documents (leases, photos, etc.)
• Backups and archives
• Logs and audit trails
• Session data and temporary files

2.3 Sensitive Data Protection

Particularly sensitive information receives additional protection:

• Social Security Numbers: Encrypted with dedicated keys, access-controlled and audit-logged
• Bank Account Details: Tokenized through Stripe and never stored on our servers
• Passwords: Hashed using bcrypt with appropriate work factors (not stored in plaintext)
• API Keys: Hashed at rest, displayed only once during creation
• Consumer Reports: Encrypted and stored separately from other data with additional access controls

2.4 Key Management

• Encryption keys are managed using a Hardware Security Module (HSM)
• Keys are rotated regularly according to our key management policy
• Separate keys for different data classifications
• Key access is logged and audited

3. Payment Security

Payment processing is one of our most critical security areas. We use industry-leading practices to protect financial transactions.

3.1 PCI DSS Compliance

• Payment processing is handled by Stripe, a PCI DSS Level 1 certified processor
• Credit card numbers never touch our servers
• Card data is tokenized and processed entirely within Stripe's secure environment
• We maintain PCI DSS SAQ-A compliance for our integration

3.2 Bank Account Security

• Bank account information is verified through Stripe, our PCI-compliant payment processor
• Account details are tokenized and never stored in plaintext
• Micro-deposit verification is available as an additional security measure
• ACH transfers are processed through secure banking networks

3.3 Fraud Prevention

• Velocity checks on payment attempts and account changes
• Identity verification for new accounts receiving payouts
• Machine learning-based fraud detection through Stripe Radar
• Bank account ownership verification before first payout
• Automatic blocking of suspicious transactions
• 24/7 monitoring for fraudulent activity

3.4 Payout Security

• Multi-day holding periods for new accounts
• Two-factor authentication required for payout settings changes
• Email notifications for all payout-related changes
• Separate verification for bank account updates

4. Access Control

4.1 User Authentication

• Strong password requirements (minimum 12 characters, complexity requirements)
• Two-factor authentication (2FA) via authenticator app or SMS
• 2FA required for accounts with payout access or team management
• Session timeout after periods of inactivity
• Secure session management with rotating tokens
• Account lockout after multiple failed attempts
• Suspicious login detection and notification

4.2 Employee Access Controls

• Principle of least privilege for all employee access
• Role-based access control (RBAC) with segregation of duties
• All access is logged and audited
• Background checks for employees with access to sensitive data
• Regular access reviews (quarterly) with automatic revocation
• Separate admin credentials for production access
• Just-in-time access provisioning for sensitive operations

4.3 API Security

• API key authentication with secure generation
• OAuth 2.0 support for integrations
• Rate limiting to prevent abuse
• Request signing for sensitive operations
• IP allowlisting available for enterprise accounts

5. Infrastructure Security

5.1 Cloud Infrastructure

Varden is hosted on enterprise-grade cloud infrastructure:

• SOC 2 Type II certified data centers
• Geographic redundancy across multiple availability zones
• Automated failover and disaster recovery
• Private network isolation (VPC) for all services
• Infrastructure as Code for reproducible, auditable deployments
• Immutable infrastructure patterns

5.2 Network Security

• Web Application Firewall (WAF) with managed rulesets
• DDoS mitigation and automatic traffic scrubbing
• Intrusion detection and prevention systems (IDS/IPS)
• Network segmentation and microsegmentation
• Internal traffic encryption
• No direct database access from public networks

5.3 Container Security

• Container image scanning for vulnerabilities
• Minimal base images to reduce attack surface
• No root process execution in containers
• Read-only filesystems where possible
• Runtime security monitoring

6. Application Security

6.1 Secure Development Lifecycle

• Security requirements in all feature specifications
• Threat modeling for significant features
• Mandatory code review for all changes
• Automated security testing in CI/CD pipeline
• Manual security reviews for sensitive functionality
• Security training for all engineers

6.2 Automated Security Testing

• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Software Composition Analysis (SCA) for dependencies
• Container vulnerability scanning
• Secret detection in code repositories

6.3 OWASP Top 10 Protections

We implement specific protections against common vulnerabilities:

• Injection: Parameterized queries, input validation, ORM usage
• Broken Authentication: MFA, secure session management, brute force protection
• Sensitive Data Exposure: Encryption, secure headers, no sensitive data in URLs
• XML External Entities: Disabled external entity processing
• Broken Access Control: RBAC, authorization checks at all levels
• Security Misconfiguration: Automated configuration scanning, minimal permissions
• Cross-Site Scripting (XSS): Output encoding, CSP headers, sanitization
• Insecure Deserialization: Signed serialized data, type validation
• Components with Vulnerabilities: Automated dependency updates, SCA
• Insufficient Logging: Comprehensive audit logs, alerting

7. Data Protection

7.1 Data Classification

We classify data into categories with appropriate protection levels:

• Critical: Payment data, SSNs, consumer reports - highest protection
• Sensitive: PII, financial information, screening data - enhanced protection
• Internal: Business data, analytics - standard protection
• Public: Marketing content, published listings - basic protection

7.2 Data Minimization

• We collect only data necessary for providing our services
• Data is retained only as long as needed or legally required
• Automated data deletion for expired records
• Secure disposal of data and media

7.3 Data Backup and Recovery

• Automated backups with point-in-time recovery
• Geographically distributed backup storage
• Encrypted backups with separate key management
• Regular backup restoration testing
• Recovery time objective (RTO): 4 hours
• Recovery point objective (RPO): 1 hour

8. Compliance

Varden maintains compliance with relevant security and privacy standards:

8.1 Security Certifications

• SOC 2 Type II: Annual audit of security, availability, and confidentiality controls
• PCI DSS: Compliance through our payment processor (Stripe)

8.2 Privacy Regulations

• GDPR: Compliance for users in the European Economic Area
• CCPA/CPRA: Compliance for California residents
• State Privacy Laws: Compliance with Virginia, Colorado, Connecticut, and other state laws

8.3 Industry-Specific Compliance

• FCRA: Fair Credit Reporting Act compliance for tenant screening
• Fair Housing Act: Non-discrimination in housing
• ESIGN/UETA: Electronic signature compliance
• GLBA: Financial information protection (where applicable)

9. Incident Response

We maintain a comprehensive incident response program:

9.1 Preparation

• Documented incident response procedures
• Designated incident response team with 24/7 availability
• Regular incident response training and drills
• Pre-established communication templates
• Relationships with law enforcement and regulatory agencies

9.2 Detection and Analysis

• 24/7 security monitoring and alerting
• Security Information and Event Management (SIEM)
• Anomaly detection for unusual activity
• Log aggregation and analysis
• Threat intelligence integration

9.3 Containment and Eradication

• Rapid containment procedures to limit impact
• Forensic capabilities for investigation
• Evidence preservation protocols
• Root cause analysis

9.4 Notification

In the event of a security incident affecting your data:

• We will notify affected users without unreasonable delay
• Notification will include the nature of the incident and types of data involved
• We will provide steps you can take to protect yourself
• We will comply with all applicable breach notification laws
• We will notify relevant regulatory authorities as required

9.5 Post-Incident Review

• Formal post-incident review for all significant incidents
• Lessons learned documentation
• Improvement implementation and tracking
• Updates to policies and procedures as needed

10. Business Continuity

10.1 Availability

• 99.9% uptime SLA for production services
• Redundant systems across multiple availability zones
• Automatic failover for critical components
• Load balancing and auto-scaling
• Real-time system health monitoring

10.2 Disaster Recovery

• Documented disaster recovery procedures
• Regular DR testing and exercises
• Alternate site capabilities
• Communication plans for major outages

11. Vendor Security

We carefully evaluate and monitor our third-party vendors:

• Security assessments before vendor onboarding
• Contractual security and privacy requirements
• Regular vendor security reviews
• Limited data sharing based on necessity
• Data processing agreements for all vendors handling personal data

12. Security Tips for Users

Help keep your account secure with these practices:

13. Responsible Disclosure

We value the security research community and welcome responsible disclosure of vulnerabilities.

13.1 Reporting a Vulnerability

13.2 What to Include

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Any proof of concept (without causing damage)
• Your contact information for follow-up

13.3 Our Commitment

• We will acknowledge receipt within 24 hours
• We will investigate and provide updates on our progress
• We will not take legal action against researchers acting in good faith
• We will credit researchers (with permission) for discovered vulnerabilities
• We ask that you allow reasonable time for remediation before disclosure

13.4 Scope

In-scope systems include:

• *.vardenhomes.com
• Varden mobile applications
• Varden APIs

Out of scope:

• Denial of service testing
• Social engineering attacks
• Physical security testing
• Third-party services we integrate with

14. Contact Us

For security questions, concerns, or to report an issue: