Security & Trust
IONROI handles sensitive financial records, lease agreements, and identity documents on behalf of property investors and managers. Here is how we protect that data.
1. Infrastructure security
- Hosted on enterprise cloud infrastructure. Our servers and databases run on managed, enterprise-grade infrastructure with physical security, redundancy, and regular security updates handled at the infrastructure level.
- All data encrypted in transit. Every connection between your browser and our servers is encrypted. Data in transit is never exposed in plain text.
- Databases are not publicly accessible. Our database servers are isolated within a private network and cannot be reached directly from the internet.
- We do not store payment card details. All payments are handled by our payment provider directly. IONROI never sees or stores your full card number.
2. Application security
- Passwords are never stored in plain text. When you create or update your password, it is hashed using an industry-standard algorithm before being written to the database. We cannot read your password โ only verify it.
- Session tokens are never stored in plain text. Authentication tokens used to keep you logged in are stored as hashes. Even if our database were ever accessed, raw session tokens would not be exposed.
- Role-based access controls. Every user account operates under one of four permission levels: Viewer, Accountant, Manager, or Admin. Users can only read or write data that their assigned role permits. Admins can manage who has access to the account.
- Rate limiting on all endpoints. All API endpoints are rate-limited to prevent brute-force and abuse. Login endpoints have stricter limits than standard API calls.
- Full audit logging. Every change made within your account โ creating records, updating data, changing permissions โ is logged with a timestamp and the user who made the change. This log is available to account administrators.
- HTTP security headers. Standard security headers are applied on all responses to protect against common web vulnerabilities including clickjacking, content sniffing, and cross-site scripting.
3. Data isolation
Your data is completely isolated from all other accounts on the platform. Every query in the system is scoped to your account โ it is not possible for any user to access another account's data. This isolation is enforced at the database query level, not just through application logic.
We do not use shared database tables where row-level filtering could accidentally leak records. Each tenant's data is strictly separated.
4. Compliance
IONROI is aligned with the following data protection frameworks:
- EU General Data Protection Regulation (GDPR). We uphold all rights under GDPR including access, rectification, erasure, portability, and objection to processing. GDPR is widely recognised as the most rigorous data protection standard globally โ meeting it means your data is handled responsibly regardless of where you are based.
For full details on what data we collect, how we use it, and your rights, see our Privacy Policy.
5. Responsible disclosure
If you discover a security vulnerability in IONROI, we ask that you report it to us responsibly before disclosing it publicly. Email [email protected] with a description of the issue and the steps to reproduce it.
We will acknowledge your report within 48 hours, keep you informed as we investigate, and credit you in our disclosure notes if you wish. We ask that you give us reasonable time to address the issue before public disclosure.