Security

How we protect your data.

Transport

All traffic to ocupado.cc uses TLS 1.2+ with HSTS enabled. Certificates are managed by Let's Encrypt.

Authentication

• Passwords hashed with bcrypt (PHP PASSWORD_BCRYPT).
• Minimum password policy: 10 characters with at least one letter and one digit.
• Email verification on signup; password reset via time-limited signed tokens.
• Rate-limiting on login (20/IP and 10/email per 15 minutes).
• Session CSRF tokens on every state-changing request.

Secrets and infrastructure

• API keys and database credentials are stored in a root-owned environment file outside the webroot, loaded into PHP-FPM via systemd.
• The application config file does not contain secrets.
• The database user has access only to the application database.

Payments

• Card data never touches Ocupado servers — Stripe Elements handles card collection on Stripe-hosted fields.
• Stripe webhooks are verified by HMAC-SHA256 signature with a 300-second tolerance window.
• Rent payments use Stripe Connect destination charges, so Ocupado is not the merchant of record for landlord funds.

Logging and audit

State-changing actions are recorded in an audit log with actor, IP, user-agent, and timestamp. Login attempts are logged for rate-limit accounting and retained for 7 days.

Third-party processors

Stripe (payments), Anthropic (AI lease analysis), Seam (smart locks), Zoho (email). Each is contacted over authenticated HTTPS.

Reporting a vulnerability

Please email nerd@a84y.com with reproduction details. We do not currently run a paid bug-bounty program.