Bank-grade security

Built to keep you safe

Your personal details, your password, and your money are protected by the same kind of layered defences used by global property and payment platforms. Here's what we have in place — in plain English.

A+SSL rating
256-bitEncryption
24/7Monitoring
POPIA+ GDPR

We treat your data the way we'd want ours treated. Below are the eight layers of protection between an attacker and your account. Each one runs around the clock, with no action needed on your side.

End-to-end encrypted connection

Every page, every form, every payment runs over 256-bit TLS — the same encryption your bank uses. Browsers refuse to load Propworths over an unencrypted connection, ever.

  • HSTS enforced — no one can downgrade you to an insecure version
  • A-rated configuration verified independently at securityheaders.com
  • Mixed-content blocking — no third-party site can sneak in over HTTP

Your password, locked down

We never store passwords in readable form — they're hashed with bcrypt, the same standard used by Apple, Stripe and Google. Even if someone got hold of our database, your password would still be safe.

  • 5 wrong-password attempts and the account is locked for 15 minutes
  • Bots that try thousands of combinations from one network get blocked entirely
  • Password resets use single-use links that expire in 1 hour

We tell you the moment something looks off

Every time someone signs in to your Propworths account from a new device or network, you get an immediate email — when, where, and what to do if it wasn't you. If a password reset is requested, you're told who, when, and how to lock the account down.

  • One-tap reset link in every alert
  • Logging in from a new device automatically signs out all other sessions after a password change

Payments handled by a PCI-DSS provider

Card details never touch our servers. Every transaction goes through Peach Payments — a regulated, PCI-DSS-compliant processor — and gets a tamper-proof signature we verify before recording anything as paid.

  • Webhook payloads cryptographically signed (AES-GCM) — fake "paid" requests are rejected
  • 5-minute replay window — captured payment notifications can't be re-submitted later
  • Duplicate-payment protection — Peach retries never double-charge

Bot protection on every form

Contact forms, sign-up forms, OTP requests, voice search, AI chat — every public endpoint is rate-limited per IP, with honeypots to catch automated abuse before it reaches our pipeline.

  • Throwaway email addresses (mailinator-style) blocked at signup
  • Disposable-number patterns and known bot user-agents refused at the door
  • Our AI services have per-IP caps so nobody can run up the bill on shared infrastructure

Three-layer admin lockdown

The admin dashboard sits behind three independent gates — a hosting-level password challenge, a server-side role check, and an optional IP allow-list. Even a successful breach of one layer doesn't expose your data.

  • Every admin action is logged with who, when, IP and action
  • No admin URL is published — discoverable only by people we've given the address to

Your data, your call

You can download every piece of information we hold about you, in machine-readable form, at any time. Or delete your account entirely — and we'll scrub your personal details from our audit logs while keeping only what tax law requires us to keep.

  • POPIA (South Africa) and GDPR (EU/UK) compliant by design
  • Retention windows enforced by an automated nightly job — not just promised in policy
  • Five named sub-processors only (Brevo, Twilio, Peach, Google Maps, Google Analytics) — full list published in our Privacy Policy

24/7 automated monitoring

Every login attempt, every form submission, every payment event flows into a structured audit log with a calibrated threat-level rollup. Anything unusual — a burst of failed logins, a webhook from an unrecognised IP, an admin refusal — surfaces immediately for review.

  • Decrypt-failed payment webhooks archived for forensic review
  • Daily retention cleanup so old data doesn't pile up beyond what we've promised to keep

Your account, your choice

You can exercise your data rights yourself, online, without waiting for us. We typically respond to any direct enquiry within one business day.

Download My Data Delete My Account Read Privacy Policy Email Privacy Team

Independent verification

Don't take our word for it. Run our domain through securityheaders.com or Mozilla Observatory — both score our configuration A or higher. Our payment provider is regulated by the Financial Sector Conduct Authority of South Africa.

Your data is safe 256-bit SSL POPIA & GDPR Verified by Peach Payments 24/7 fraud monitoring Encrypted at rest & in transit