Security & Compliance

Where managed: Cloudflare — the world's largest edge network. Every request to wereportyourrent.com is automatically encrypted via TLS 1.3.

How it works: Cloudflare terminates HTTPS at the edge (200+ global locations) and forwards traffic to our Workers over Cloudflare's own secure backbone. There is no plain HTTP path. HTTP requests are automatically redirected (301) to HTTPS.

HSTS Header: We send Strict-Transport-Security: max-age=31536000; includeSubDomains; preload — this tells browsers to always use HTTPS for our domain, even if you type http://.

SSL Certificate: Automatically issued and renewed by Cloudflare. Zero manual management. Covers wereportyourrent.com and *.wereportyourrent.com.

Your custom domain: Point your DNS to Cloudflare, enable the orange cloud (proxy), and HTTPS is live in minutes — no certificate purchase needed.

What it is: The FCRA (15 U.S.C. § 1681) is a federal law governing how consumer credit information can be collected, accessed, and reported. Any company that reports to or obtains data from credit bureaus must comply.

What we do:

• Written Consent (§604): We obtain explicit electronic consent during signup before reporting any data. This is stored in our consent_records table with timestamps, IP address, and consent version.
• Positive-only reporting: We never report late or missed payments — only positive, on-time payments. This is a core product principle.
• Dispute Rights: Premium users can dispute credit report inaccuracies directly through our platform. We respond within 30 days per FCRA requirements.
• Data Accuracy: All data sent to bureaus is verified against the uploaded lease agreement.
• Immutable Audit Log: Every sensitive action is logged in an append-only audit_log table. Rows are never updated or deleted.

Bureau credentialing: Powered by Array.com, which holds established bureau relationships and handles all bureau credentialing, dispute management, and FCRA-compliant reporting workflows.

What it is: PCI DSS v4.0 (enforced March 2025) is the security standard for any business that processes, stores, or transmits payment card data.

How we handle it:

• Card data never touches our servers. All payment processing is handled by Stripe (a PCI DSS Level 1 certified provider). We use Stripe's hosted checkout or Stripe.js elements, which means card numbers go directly from the browser to Stripe — bypassing our servers entirely.
• We only store: Stripe customer IDs and subscription IDs (non-sensitive references). Never PANs, CVVs, or expiry dates.
• Webhook verification: All Stripe webhooks are verified using Stripe's signature before processing.
• Content Security Policy: Our CSP headers only allow scripts from Stripe's domain (js.stripe.com), preventing card-skimming script injection (PCI DSS 6.4.3).