Information Security Policy

Baxly Labs LLC · Last updated: May 2, 2026

1. Overview

This policy outlines the security practices and controls that RealMatch employs to protect customer data, including CRM data ingested from third-party platforms such as Follow Up Boss and Keller Williams Command.

2. Data Classification

ClassificationDescriptionExamples
Customer CRM DataContact records, notes, call transcripts, property activity, and buyer criteria ingested from connected CRMsNames, emails, phone numbers, buyer preferences, agent notes
Account DataUser authentication credentials and subscription informationEmail addresses, hashed passwords, Stripe customer IDs
OAuth CredentialsEncrypted tokens used to access third-party CRM APIs on behalf of usersAccess tokens, refresh tokens
Derived DataAI-extracted buyer criteria generated from CRM dataStructured buyer profiles (price ranges, locations, property types)

3. Data Encryption

In Transit

  • All data transmitted between clients and servers uses TLS 1.2 or higher (HTTPS)
  • API calls to third-party services (CRM APIs, payment processors) use TLS-encrypted connections
  • No data is transmitted over unencrypted channels

At Rest

  • Database hosted on Supabase (PostgreSQL) with AES-256 encryption at rest
  • CRM OAuth tokens (access and refresh tokens) are encrypted using AES-256-GCM before storage, with a separate encryption key managed outside the database
  • Backups are encrypted using the hosting provider's encryption mechanisms

4. Authentication and Access Control

User Authentication

  • User authentication managed through Supabase Auth
  • Passwords are hashed using bcrypt with appropriate salt rounds
  • Session tokens are issued as JWTs with expiration
  • Password reset via secure email link with time-limited tokens

CRM OAuth

  • Third-party CRM connections use OAuth 2.0 authorization code flow
  • Users explicitly authorize access through the CRM provider's consent screen
  • OAuth tokens are encrypted at rest (AES-256-GCM) and refreshed automatically
  • CSRF protection via cryptographic state parameter and httpOnly cookies

Internal Access

  • Production database access restricted to service role keys, never exposed to clients
  • Row Level Security (RLS) enforced at the database level — users can only access their own data
  • Principle of least privilege applied to all service accounts

5. Data Access and CRM Integration

Read-Only CRM Access

  • RealMatch only reads data from connected CRMs — we never create, modify, or delete contacts, notes, calls, or any other CRM records
  • The only write operations to CRM platforms are webhook subscription management (registering/unregistering webhook endpoints)
  • Our AI analysis operates on a copy of the data stored in our database — it never interacts with the CRM API directly

Data Minimization

  • We only ingest data necessary for buyer criteria extraction: contacts, notes, calls, events, and property activity
  • We do not access or store financial data, documents, transaction records, or other sensitive CRM data not required for our service
  • Ingested data is limited to buyer-type contacts (filtered by stage, tags, and engagement activity)

6. AI and Data Processing

  • Buyer criteria extraction is performed using Anthropic's Claude API
  • CRM text data (notes, call transcripts, event descriptions) is sent to Anthropic for structured data extraction
  • Anthropic does not use API data for model training (per their API terms of service)
  • Extracted criteria are stored in our database as structured records
  • Raw CRM text is not permanently stored after extraction — only the structured output is retained

7. Third-Party Services

ServicePurposeSecurity
SupabaseDatabase, authenticationSOC 2 Type II, AES-256 encryption
Cloudflare WorkersBackground sync processingSOC 2, ISO 27001
Anthropic (Claude API)AI buyer criteria extractionSOC 2 Type II, zero data retention
StripePayment processingPCI DSS Level 1, SOC 2
ResendTransactional emailTLS encrypted
VercelWeb application hostingSOC 2, encrypted at rest and in transit
SentryError monitoringSOC 2, no PII collected

8. Data Retention and Deletion

Active Accounts

  • CRM-derived buyer criteria are retained as long as the account is active
  • OAuth tokens are retained as long as the CRM connection is active
  • Search history and match results are retained for the lifetime of the account

Account Deletion

  • Users can delete their account through the app (Settings > Delete Account)
  • Account deletion removes all associated data: buyer criteria, match results, listings, saved searches, OAuth tokens, and the user record
  • Deletion is performed immediately and is irreversible

9. Incident Response

  1. Identify — Determine scope and severity of the incident
  2. Contain — Isolate affected systems, revoke compromised credentials
  3. Notify — Inform affected users within 72 hours of confirmed data breach
  4. Remediate — Fix the vulnerability, rotate affected keys/tokens
  5. Document — Record incident details, root cause, and remediation steps

10. Compliance

  • CAN-SPAM: Email consent tracked with timestamps; unsubscribe mechanism available
  • CCPA/CPRA: Users can request data export or deletion
  • SOC 2: Not yet certified; reliance on SOC 2-certified infrastructure providers (Supabase, Cloudflare, Anthropic, Stripe)

11. Policy Review

This policy is reviewed and updated at least annually, or whenever significant changes are made to our infrastructure, data processing practices, or third-party service providers.

Baxly Labs LLC
Security: security@getrealmatch.com
Support: support@getrealmatch.com
getrealmatch.com