Data Security Policy — Default Agency

Default Agency ("Company," "we," "us," or "our") is committed to protecting the security and confidentiality of your personal and financial data. This Data Security Policy describes the technical and organizational measures we take to safeguard the information you entrust to us, including credit reports, identity documents, and account credentials.

1. Scope

This policy applies to all data collected, processed, stored, or transmitted through the Default Agency platform, including the client portal, agency dashboard, AI analysis pipeline, and all supporting infrastructure. It covers:

Personally Identifiable Information (PII): name, address, date of birth, Social Security Number (last 4 digits)
Financial data: credit scores, tradeline details, dispute history
Identity documents: uploaded credit reports and bureau correspondence
Account credentials: email addresses and hashed passwords
Communication data: messages, notes, and AI Coach conversations

2. Data Encryption

In Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and reject unencrypted connections. Email communications containing sensitive data use transport-layer encryption (STARTTLS).

At Rest

Sensitive fields (including SSN last-4 digits and API keys) are encrypted at the application layer before storage. Database backups are encrypted and stored in isolated, access-controlled locations. File uploads, including credit reports, are stored in private object storage and are never publicly accessible via direct URL.

3. Access Controls

Role-based access: Users are assigned the minimum permissions necessary for their role (Super Admin, Admin, Supervisor, Agent, Client). Clients can only access their own data.
Authentication: All accounts are protected by password authentication. Passwords are hashed using bcrypt with a minimum cost factor of 12 — plaintext passwords are never stored.
Session management: Sessions are invalidated on logout and expire after a configurable period of inactivity. Session tokens are rotated on privilege escalation.
API authentication: All API access requires a valid token issued through our secure token system. Tokens can be revoked individually at any time.
Administrative access: Access to the agency dashboard is restricted to authenticated staff. Super-admin accounts are limited to designated personnel only.

4. Data Minimization

We collect only the data necessary to provide credit restoration services. We do not collect or store full Social Security Numbers. We do not store raw payment card data — all billing is processed by PCI-DSS-compliant third-party processors. Credit report documents are retained only for the duration necessary to support active disputes and are subject to our retention schedule.

5. AI Data Processing

Credit reports and dispute data may be processed by AI models (Anthropic Claude or OpenAI) to generate dispute letters, score roadmaps, and analysis. When this occurs:

Data is transmitted over encrypted connections to the AI provider's API.
We do not submit full SSNs, payment card numbers, or government ID numbers to AI APIs.
AI providers we use operate under data processing agreements that prohibit using customer data to train their models.
AI-generated outputs are reviewed and stored within our platform under the same access controls as all other client data.

6. Infrastructure Security

Server hardening: Production servers run minimal software, with unused ports closed and unnecessary services disabled.
Firewall: Network-level firewalls restrict inbound and outbound traffic to authorized sources and destinations only.
Dependency management: We maintain an active dependency update process and monitor for known vulnerabilities (CVEs) in our software stack.
Secrets management: API keys, database credentials, and cryptographic secrets are stored in environment variables — never in source code or version control.
Logging and monitoring: All authentication events, administrative actions, and data access operations are logged to an immutable audit trail. Anomalous activity triggers alerts.

7. Audit Trail

Default Agency maintains a comprehensive, tamper-evident audit log of all significant actions performed within the platform, including:

Login and logout events
Dispute letter creation, editing, and submission
Credit report uploads and AI analysis runs
Agent actions on client accounts
Settings and configuration changes

Audit logs are retained for a minimum of 24 months and are accessible to authorized administrators only.

8. Third-Party Integrations

We integrate with select third-party services to deliver our platform. Each integration is evaluated for security before deployment:

Payment processing: Stripe (PCI-DSS Level 1 certified)
AI analysis: Anthropic and/or OpenAI (enterprise data processing agreements in place)
SMS notifications: Twilio (SOC 2 Type II certified)
Workflow automation: n8n (self-hosted on dedicated infrastructure)
CRM: Zoho CRM (ISO 27001 certified)

We do not sell, rent, or share client data with any third party for marketing purposes.

9. Incident Response

In the event of a suspected or confirmed data security incident:

We will investigate and contain the incident within 72 hours of discovery.
Affected clients will be notified promptly in accordance with applicable breach notification laws.
We will cooperate with regulatory authorities as required.
A post-incident review will be conducted and corrective measures implemented.

To report a potential security vulnerability or incident, contact us immediately at info@rebuildr.app.

10. Employee and Contractor Access

Access to client data by Default Agency personnel is limited to individuals who require it to perform their job functions. All staff and contractors with access to sensitive data are:

Subject to confidentiality agreements
Trained on data security and privacy obligations upon onboarding and annually thereafter
Required to use unique, individual credentials — shared accounts are prohibited
Offboarded with immediate credential revocation when their engagement ends

11. Data Retention and Deletion

We retain client data for as long as necessary to provide services and comply with legal obligations. Upon termination of your account:

Portal access is revoked immediately.
Personal data is anonymized or deleted within 90 days, unless retention is required by law or ongoing dispute proceedings.
You may request deletion of your data at any time by contacting us at info@rebuildr.app.

12. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, restrict processing of, or request deletion of your personal data. To exercise any of these rights, contact us at info@rebuildr.app. We will respond within 30 days.

13. Policy Updates

We review and update this Data Security Policy at least annually, or whenever material changes are made to our security practices. Significant updates will be communicated to active clients via email or in-platform notification. Continued use of our services after a policy update constitutes acceptance of the revised policy.

14. Contact

If you have questions about our data security practices or wish to report a concern, please contact:

Default Agency
Security Contact: info@rebuildr.app