Legal Centre

Security Schedule

Effective date: 2 March 2026

This schedule describes the baseline safeguards Apworth commits to for paid production environments. It is intended to give buyers a clear operational control set before procurement.

1. Identity and Access

  • Residents use individual 4-digit PINs so login stays simple on shared devices.
  • Staff and admin users use named accounts with individual passwords.
  • Admin sign-in requires both an individual password and the home’s shared Admin Verification Code.
  • Passwords, verification codes, and PINs are stored as salted hashes.

2. Data Protection

  • Each customer home is isolated as its own tenant.
  • Firestore rules and server-side checks prevent cross-home data access.
  • HTTPS protects data in transit, and managed cloud encryption protects data at rest.

3. Monitoring and Abuse Controls

  • Authentication, administrative updates, and security-relevant actions are logged.
  • Public and administrative endpoints use a Firestore-backed rate limiter shared across instances.
  • Error monitoring is sent to Sentry when production monitoring is configured.

4. Operational Controls

  • Shared-device sessions auto-time out after inactivity.
  • CI runs type checks, tests, and a production build before release.
  • Security incidents follow the Notifiable Data Breach runbook, with a named incident owner required for paid production.
Back to Legal CentreBook a Demo