Hearth Property uses administrative, technical, and operational safeguards to protect the property, owner, tenant, guest, vendor, payment, booking, maintenance, compliance, and operational data used to deliver our property management services.

This public policy describes Hearth's information security program at a high level. It is intended to explain how we protect data across our website, onboarding flows, owner dashboard, AI-assisted operations, payment and payout workflows, property management operations, and third-party integrations. It does not disclose confidential security architecture or create a separate contractual warranty.

## 1. Purpose and Scope

Hearth Property ("Hearth," "we," "us," or "our") operates an AI-assisted, full-service property management platform and service for short-term, mid-term, and long-term rentals. Our services may include owner onboarding, listing setup, pricing, guest or tenant communications, scheduling, maintenance coordination, compliance support, financial reporting, payment and payout workflows, and owner dashboard access.

This policy applies to Hearth personnel, contractors, vendors, systems, applications, workflows, and service providers that collect, process, transmit, store, or access Hearth data or customer data.

## 2. Governance and Risk Management

Hearth maintains an information security program designed to identify, mitigate, monitor, and periodically review security risks relevant to our business. The program is owned by Hearth's CTO or designated security owner.

- Security policies and procedures are reviewed at least annually and after material changes to our product, infrastructure, vendors, or regulatory obligations.
- Security risks, exceptions, incidents, and remediation items are tracked by the responsible business or technical owner.
- Access, vendor, incident, and vulnerability evidence is retained when available to support internal review and third-party diligence.

## 3. Data Handling and Classification

Hearth classifies data based on sensitivity and business impact. Restricted data includes items such as financial account tokens, bank account identifiers, authentication secrets, API keys, security credentials, and other sensitive financial or security data. Confidential data includes owner contracts, property financials, statements, tenant or guest records, booking data, maintenance records, vendor invoices, and private communications.

- Hearth collects and uses only the data reasonably needed to provide, secure, support, and improve our services.
- Restricted and Confidential data is limited to authorized users and approved business purposes.
- Restricted data must not be sent over unsecured channels, stored in plaintext documents, committed to source code, or entered into unapproved AI tools.

## 4. Access Control and Authentication

Hearth follows least-privilege and role-based access principles. Access to systems and data is granted only when there is a legitimate business need.

- Unique user accounts are required where supported. Shared accounts are prohibited unless approved with compensating controls.
- Multi-factor authentication is required for critical systems, including email/workspace, source control, cloud hosting, database or administrative consoles, password managers, payment or banking tools, financial-data tools, and production operations systems.
- Administrative and production access is restricted to authorized personnel.
- Access is reviewed periodically and removed when no longer needed, including upon termination or role change.
- Credentials, secrets, API keys, and tokens must be stored in approved password managers, secret managers, or encrypted environment systems.

## 5. Financial Account Linking

Where Hearth uses Plaid or similar financial-account connection providers, Hearth uses security controls designed to protect the account-linking workflow.

- Financial-account linking is surfaced only after the user is authenticated to Hearth.
- For sensitive financial workflows, Hearth requires fresh step-up verification, such as an email one-time code, SMS one-time code, authenticator challenge, passkey, or secure magic-link verification tied to the verified session.
- Financial-account link tokens are generated server-side, are short-lived, are tied to the verified session, and are not intentionally logged.
- Hearth does not store raw online banking credentials. We rely on approved financial-data providers and payment or banking providers for account connection and processing.
- Financial tokens and financial-account data are treated as Restricted data.

## 6. Encryption and Transmission Security

Hearth uses encrypted transmission and storage controls appropriate to the sensitivity of the data involved.

- Consumer and administrative traffic must use HTTPS with TLS 1.2 or better where Hearth controls the endpoint.
- Integrations with financial-data providers, payment processors, cloud services, and internal APIs must use encrypted transport.
- Restricted and Confidential data is stored in managed databases, storage systems, or SaaS platforms that support encryption at rest.
- Backups containing Restricted or Confidential data must be encrypted and access-controlled where Hearth controls the backup process.
- Secrets, credentials, and API keys are stored in approved secret-management systems and are not intentionally exposed in source code or logs.

## 7. Secure Development and Change Management

Hearth applies secure development and change-management practices to systems that process customer, property, operational, or financial data.

- Production changes are reviewed, tested, and deployed through approved repositories, CI/CD workflows, or documented change processes.
- Changes involving authentication, authorization, financial-data providers, payments, banking, encryption, logging, or sensitive data access require heightened review.
- Production and non-production environments are logically separated.
- Production data must not be copied into personal devices or non-production environments unless approved and protected.
- Source-code repositories must use MFA for contributors and support dependency, code, and secret scanning where available.

## 8. AI-Assisted Operations

Hearth uses AI-assisted workflows to support property operations, communications, pricing, scheduling, maintenance triage, compliance review, and financial reporting. These workflows are subject to the same security principles as other systems.

- AI agents and automation are granted only the minimum access necessary for their assigned task.
- AI-assisted workflows must not have unrestricted access to financial tokens, secrets, credentials, or owner banking data.
- High-impact actions, including sensitive data exports, payout changes, material financial changes, account deletion, and actions outside approved maintenance or operational thresholds, require human confirmation or documented business rules approved by leadership.
- Personal, financial, or Restricted data must not be entered into unapproved AI tools.

## 9. Vulnerability, Patch, and Endpoint Management

Hearth maintains vulnerability-management procedures for production systems and workforce devices used to access Hearth data.

- Production systems are reviewed using a combination of asset inventory, dependency scanning, code scanning, secret scanning, cloud/provider alerts, and periodic security review.
- Security findings are tracked, prioritized by severity, assigned to an owner, and remediated or mitigated according to risk.
- Workforce devices used for Hearth work must use strong authentication, screen lock, automatic operating system and browser updates, full-disk encryption where supported, and malware protection or EDR where supported.
- Lost or stolen devices must be reported promptly to the security owner.

## 10. Vendor and Service Provider Security

Hearth uses third-party vendors and service providers to operate our business. Vendors that handle Restricted or Confidential data are reviewed for security and privacy posture before use and periodically thereafter when appropriate.

- Vendor review considers data sensitivity, MFA support, encryption, access control, breach notification, deletion/export capabilities, and contractual commitments.
- Hearth prefers vendors with documented security programs, SOC 2 or equivalent assurance where appropriate, administrative MFA, encryption in transit and at rest, and clear data deletion procedures.
- Vendor access is limited to the data necessary to provide the relevant service and is removed when no longer needed.

## 11. Logging and Monitoring

Hearth uses logs, administrative records, and provider alerts to monitor system activity, investigate issues, and support incident response.

- Security-relevant events, such as administrative access, authentication events, financial-account linking events, token creation, and account changes, are logged where supported.
- Logs are access-controlled based on business need.
- Restricted data, credentials, Plaid access tokens, raw payment data, and unnecessary financial identifiers must not be intentionally logged.

## 12. Incident Response

Hearth maintains an incident-response process for suspected or confirmed security events involving Hearth systems, vendors, workforce devices, or customer data.

- Incidents are identified through reports, alerts, vendor notices, suspicious activity, vulnerability disclosures, lost-device reports, or customer complaints.
- Incidents are triaged based on data involved, systems affected, exploitability, customer impact, and business impact.
- Containment may include revoking credentials or tokens, disabling accounts, rotating secrets, isolating affected systems, pausing risky integrations, and preserving relevant evidence.
- Hearth determines and completes legal, contractual, vendor, platform, customer, and regulatory notices as required.
- Material incidents receive a post-incident review with root cause, timeline, impact, corrective actions, owners, and due dates.

## 13. Retention and Deletion

Hearth retains data only for as long as reasonably necessary to provide services, operate our business, maintain security, comply with legal and accounting obligations, resolve disputes, enforce agreements, and support legitimate business purposes.

- Verified deletion requests are honored unless continued retention is required or permitted for legal, accounting, tax, security, fraud-prevention, contractual, or dispute-resolution purposes.
- Financial-account data and tokens are deleted or de-identified when no longer needed, when an account connection is terminated, or after a verified deletion request where legally permissible.
- Backups are retained according to managed backup cycles and are deleted or overwritten in the ordinary course of business.

## 14. Personnel Security and Training

Hearth personnel and contractors with access to Confidential, Restricted, production, or financial data receive security and privacy onboarding before access is granted.

- Training covers phishing, MFA, password manager use, data handling, incident reporting, acceptable use, vendor tools, and AI-tool restrictions.
- Personnel must report suspected security incidents, lost devices, credential exposure, phishing attempts, or unauthorized access promptly.
- Violations of security requirements may result in access removal, contract termination, disciplinary action, or legal action where appropriate.

## 15. Business Continuity

Hearth uses managed services, redundancy, backups, and operational escalation procedures to support continuity of critical services.

- Critical systems rely on managed-service backups or equivalent redundancy where available.
- Backups containing personal, financial, or confidential data are encrypted and access-controlled where Hearth controls the backup process.
- Hearth maintains operational escalation procedures for urgent property access, smart-lock issues, maintenance emergencies, owner communications, and guest or tenant support if primary systems are unavailable.

## 16. Customer Responsibilities

Security is shared. Owners, tenants, guests, vendors, and other users are responsible for protecting their own account credentials, using current contact information, promptly reporting suspicious activity, and notifying Hearth of unauthorized access or data inaccuracies.

Property owners remain responsible for maintaining appropriate property insurance, complying with their contractual obligations, and approving or responding to required operational actions when necessary.

## 17. Updates and Contact

Hearth may update this Information Security Policy from time to time to reflect changes in our services, technology, vendors, operations, legal obligations, or security practices. The updated version will be posted on this page with a revised effective or last-updated date.

Security questions, vulnerability reports, or concerns may be sent to cto@hearthproperty.com.

Legal note: No method of transmission, processing, or storage is perfectly secure. This policy summarizes Hearth's security practices and does not create a guarantee, warranty, or obligation separate from Hearth's written agreements or applicable law.