EstateForge
Get started
Security

Security at EstateForge.

A short, honest page about how we protect the data on EstateForge, what we don’t claim, and how to reach our security team if you find a problem.

Practices.

Encryption in transit
All connections to EstateForge use TLS 1.2 or above. Old protocols and weak ciphers are disabled at the edge.
Encryption at rest
Customer data, payment records, and backups are encrypted at rest on disk and in object storage. Encryption keys are managed by the cloud providers we host on; access to keys is restricted by IAM policy.
Access controls
Engineering access to production data is limited to named individuals, gated by multi-factor authentication, and logged. Access is reviewed regularly and revoked when no longer required.
Audit logging
Access to production systems, configuration changes, and security-relevant events are logged. Logs are retained for at least 90 days.
Payments
Card data is processed by PCI-DSS-compliant payment providers. We never store full card numbers on EstateForge infrastructure.
Vendor diligence
Third-party providers handling customer data (hosting, email, analytics, payments) are selected based on their published security posture and contractual commitments.
Backups
Customer data is backed up on a defined schedule with restore procedures tested regularly. Backups are encrypted and stored separately from production.
Patching and updates
Operating systems, runtimes, and dependencies are patched on a defined cadence, with critical security updates prioritised.
Incident response
We maintain an internal incident-response plan covering detection, containment, communication, and post-incident review. In the event of a personal-data breach that is likely to result in a risk to your rights, we will notify you and, where required, the UAE Data Office, in line with the Privacy Policy and PDPL requirements.

Honest boundaries.

We do not currently hold SOC 2, ISO 27001, or equivalent certification.

We follow practices consistent with those frameworks and can share our internal security posture under NDA when conversations advance. If certification becomes commercially necessary, we will pursue it and update this page.

We are not a vault.

EstateForge stores account, payment, and usage data needed to operate the platform. We do not hold customer property deeds, escrow funds, or transactional financial assets, and we are not a custodial service.

We do not publish our specific tooling.

Defensive security benefits from a degree of opacity about specific tools, versions, and configurations. We share architectural posture; we don’t publish a target map.

Responsible disclosure.

If you’ve found a security issue with EstateForge, we want to hear about it. The process below is how we handle reports, and the safe-harbour terms under which good-faith researchers can test.

How to report

Email security@estateforge.ae with:

  1. A clear description of the issue, including the affected URL or endpoint.
  2. Steps to reproduce.
  3. Your name and contact details (a pseudonym is fine; we may need to verify the finding before we can credit you).
  4. Whether you’d like public credit if we publish a disclosure.

We acknowledge reports within two UAE business days and provide a resolution path within ten UAE business days for confirmed issues, or earlier for severe issues.

Scope

  • In scope: *.estateforge.ae web properties and any service explicitly identified as ours.
  • Out of scope: social-engineering attacks against EstateForge staff, physical attacks against our office or staff, denial-of-service testing, attacks against third-party services we use, and any testing that affects users other than yourself.

Safe harbour

We will not pursue legal action against researchers who:

  • act in good faith,
  • stay within the scope above,
  • avoid privacy violations of other users and avoid destruction of data,
  • give us reasonable time to remediate before public disclosure,
  • and do not exploit findings for personal gain or for any purpose other than the report.

If you are unsure whether a planned test is in scope, ask us first at security@estateforge.ae.

Acknowledgement

We do not currently run a paid bug-bounty programme. We acknowledge confirmed reports with public credit on this page (if the reporter wants it) and may, at our discretion, offer thanks in other forms.

Contact.

Security issues: security@estateforge.ae. Privacy and data rights: privacy@estateforge.ae. Everything else lives at /contact.

If you require PGP for security correspondence, request our key at security@estateforge.ae and we’ll send it from a verified channel.