How we protect realtor and lead data.

All HTTP traffic to streamsynq.io and streamsynq.vercel.app is TLS 1.3 with HSTS preload (max-age=63072000). HTTP requests redirect to HTTPS at the edge. Strict Content-Security-Policy headers on every response.

Postgres database storage is AES-256 encrypted. Vendor API credentials (CRM keys, MLS tokens, Twilio Auth Tokens) get an additional application-layer encryption pass with AES-256-GCM using a key held only in our environment. Credentials never appear in plain text in logs, error messages, or admin UI.

Every customer-data table in our Postgres has Row-Level Security (RLS) enabled with policies keyed on auth.uid() = user_id. Two realtors on the platform cannot query each other’s leads, calls, conversations, or settings — the database itself enforces the boundary.

Tested across all 16 customer-data tables. INSERT policies use WITH CHECK to prevent inserting rows owned by another tenant.

Inbound webhooks from Twilio (X-Twilio-Signature), Retell (HMAC-SHA256), Resend (Svix), and Stripe (HMAC) are signature-verified before processing. Unsigned or wrong-signature payloads are rejected with 401 and logged. We never trust webhook payloads on the basis of source IP alone.

Realtor accounts use Supabase Auth (email + password). Passwords are bcrypt-hashed at rest with a salt per user. Admin access to /admin requires a server-side allowlist check; admin status cannot be assumed from a client cookie. We are evaluating SSO + 2FA for the team-tier rollout.

We never see, store, or process card numbers. All payment handling is delegated to Stripe — they hold the card data, we hold a customer ID. This keeps Streamsynq out of PCI-DSS scope entirely.

Sentry catches every server, client, and edge runtime exception within ~60 seconds. Replay-on-error captures the user session leading up to a crash so we can debug without asking the customer for steps to reproduce. PII is masked in replay (text content + media blocked by default).

Scheduled jobs (reactivation cron, email-drip, Resend warmup) authenticate with Authorization: Bearer $CRON_SECRET. Anyone hitting /api/cron/* without the secret gets 401 — there is no public-internet path to trigger our crons.

Every SMS and voice call requires prior express written consent from the lead, captured at the original lead source (Realtor.com / Zillow / IDX form) and re-validated at the dispatch boundary. Consent records are immutable — protected by a Postgres trigger that rejects UPDATE on the row after creation. Revocation creates a new record; the original consent log is never altered. Florida is a two-party consent state for call recording — we disclose recording audibly at the start of every AI call.

Anthropic Claude (SMS conversation generation) and Retell AI (voice) are bound by enterprise DPAs that prohibit using customer data to train their models. Audio recordings of calls are retained per the realtor’s configured retention policy — default 90 days, configurable to 30 or 365 days.

Full subprocessor list (also published in our Privacy Policy):

• Vercel — application hosting (US regions)
• Supabase — Postgres, Auth, file storage (US regions)
• Stripe — payment processing
• Anthropic — Claude AI for SMS
• Retell AI — voice orchestration
• Twilio — phone numbers + SMS delivery
• Resend — transactional email
• Sentry — error monitoring
• Repliers (when configured) — MLS listing data
• Cal.com — booking calendar

Email security@streamsynq.io with reproduction steps. We acknowledge within 24 hours and aim to ship a fix within 7 days for critical issues. We do not have a formal bug-bounty program yet but credit researchers in our changelog upon request.