Legal Centre

Security Schedule

Effective date: 2 March 2026

This schedule describes the baseline safeguards Apworth commits to for paid production environments. It is intended to give buyers a clear operational control set before procurement.

1. Identity and Access

  • Residents use individual 4-digit PINs so login stays simple on shared devices.
  • Staff and admin users use named accounts with individual codes.
  • Home staff and admin sign-in requires the shared Home Password plus each person’s own code.
  • Passwords, personal codes, and PINs are stored as salted hashes.
  • MFA is required for production operator access to provider consoles (GitHub, Vercel, Firebase, Sentry, and email tooling).

2. Data Protection

  • Each customer home is isolated as its own tenant.
  • Firestore rules and server-side checks prevent cross-home data access.
  • HTTPS protects data in transit, and managed cloud encryption protects data at rest.

3. Monitoring and Abuse Controls

  • Authentication, administrative updates, and security-relevant actions are logged.
  • Public and administrative endpoints use a Firestore-backed rate limiter shared across instances.
  • Error monitoring is sent to Sentry when production monitoring is configured.

4. Operational Controls

  • Shared-device sessions auto-time out after inactivity.
  • CI runs dependency vulnerability scanning, type checks, tests, and a production build before release.
  • Security incidents follow the Notifiable Data Breach runbook, with a named incident owner required for paid production.
Back to Legal CentreGet in Touch
Security Schedule | Apworth