AccompliceRE — A Platform of Accomplice Real Estate, LLC
Effective March 13, 2026 · Version 2.0
AccompliceRE is built to handle the most confidential documents in commercial real estate — lease proposals, counter-proposals, LOIs, and financial terms that brokers share with no one outside a single transaction. We treat document confidentiality not as a compliance checkbox but as the core value proposition of the platform.
Every document uploaded to AccompliceRE is processed, analyzed, and immediately deleted. No human at AccompliceRE ever reads your documents. Every user's extracted data is encrypted with a unique encryption key that belongs exclusively to that user. No other user, no AccompliceRE employee, and no third-party service can access your data without your explicit authorization.
This document describes in technical detail how we achieve that guarantee.
AccompliceRE implements multiple independent security controls across the platform. These layers are concurrent and independent — a failure in any single layer does not compromise the others.
Layer 1 — Bot & Abuse Prevention: Cloudflare Turnstile (invisible CAPTCHA) protects signup and authentication endpoints from automated abuse and credential stuffing.
Layer 2 — Payment Fraud Prevention: Stripe Radar with CVC and postal code matching protects payment processing from stolen card fraud. Transactions without verified card identity are blocked automatically.
Layer 3 — Auth Endpoint Protection: Supabase CAPTCHA on all auth APIs provides an independent second CAPTCHA layer at the database infrastructure level, separate from the application-layer Turnstile protection.
Layer 4 — Identity Verification: Email verification via Supabase Auth prevents account creation from disposable and unverified email addresses. All accounts must verify their email before accessing any platform feature.
Layer 5 — API Rate Limiting: Upstash Redis with a sliding-window algorithm limits requests per user on the AI extraction pipeline, upload routes, and authentication endpoints. Rate limits protect against cost abuse and denial of service. Auth endpoints are additionally rate-limited per IP to prevent credential stuffing.
Layer 6 — Data Encryption at Rest: AWS KMS per-user envelope encryption (AES-256-GCM) protects extracted lease data. Each user's data is encrypted with a unique key that only they can access.
Layer 7 — Content Security Policy: Nonce-based Content Security Policy headers restrict which scripts, styles, connections, and frames are permitted on every page, preventing cross-site scripting (XSS) and injection attacks.
Layer 8 — Webhook Idempotency: All Stripe webhook events are deduplicated via a webhook_events table with unique constraints on event IDs, preventing duplicate processing of payment and subscription events.
Layer 9 — Terms of Service Acceptance Tracking: Every user's acceptance of the Terms of Service and Privacy Policy is recorded with timestamp, IP address, user agent, acceptance method, and document version in a dedicated audit log. This clickwrap acceptance is enforced before any platform access is granted.
Every signup, login, and authentication request on the AccompliceRE platform requires passing Cloudflare Turnstile — an invisible CAPTCHA that distinguishes human users from automated bots without presenting visual puzzles to legitimate users. Turnstile is implemented at the form level on every authentication entry point. The token generated by Turnstile is single-use and passed directly to Supabase's authentication API as a captchaToken. Supabase handles verification natively.
Independent of the Cloudflare Turnstile at the application layer, Supabase's authentication API is configured to require CAPTCHA verification on every auth request. This creates defense in depth: even if an attacker bypassed the application layer entirely and sent requests directly to the Supabase auth API, they would still be blocked by the CAPTCHA requirement enforced at the database infrastructure level.
Every new account must verify their email address before accessing the platform. Supabase Auth sends a verification email upon signup. Until the link is clicked, the account exists but cannot access any platform features. This is enforced by middleware — unverified users are redirected to a confirmation screen regardless of how they attempt to access the app.
AccompliceRE supports three authentication methods: Google OAuth 2.0, Microsoft OAuth 2.0, and email/password. OAuth-based authentication eliminates credential database attack vectors entirely for those users.
Authentication endpoints are rate-limited per IP address using Upstash Redis (10 requests per 15 minutes). This prevents credential stuffing and brute-force attacks at the endpoint level. Rate limiting is enforced as the first operation in every authentication function, before any database or service call is made.
AccompliceRE implements a nonce-based Content Security Policy (CSP) on every page. A unique cryptographic nonce is generated per request and attached to all permitted inline scripts. This prevents cross-site scripting (XSS) attacks by ensuring that only scripts with the correct nonce can execute.
All subscription payments are processed through Stripe with Radar fraud rules enabled. CVC verification and postal code verification are both required — transactions that fail either check are blocked automatically before any charge is attempted. Stripe is PCI DSS Level 1 certified. AccompliceRE never receives, processes, or stores raw card data.
All Stripe price IDs submitted to the checkout flow are validated against a server-side allowlist of known valid price IDs before being passed to Stripe. This prevents manipulation of checkout parameters.
Stripe webhook payloads are verified using Stripe's signature verification before any processing occurs. All webhook events are deduplicated via a webhook_events table with a unique constraint on Stripe's event ID, preventing duplicate processing of the same event.
Users must accept the Terms of Service and Privacy Policy via a clickwrap checkbox before creating an account. This acceptance is enforced at the UI level and recorded in a dedicated audit log table with: user ID, document versions accepted, timestamp, IP address, user agent, and acceptance method.
Every user's extracted lease data is encrypted using a unique AWS Key Management Service (KMS) master key that belongs exclusively to that user. No two users share an encryption key. AccompliceRE implements industry-standard envelope encryption — the same model used by AWS S3, Google Cloud Storage, and HashiCorp Vault.
AWS KMS generates a unique Customer Master Key (CMK) for each user when they first upload a document. For each encryption operation, KMS generates a data key — a temporary AES-256 key used to encrypt the actual data. The data is encrypted locally using AES-256-GCM with a 96-bit initialization vector. The plaintext data key is immediately zeroed from memory after encryption — it is never stored.
Extracted data benefits from two independent, stacked layers of AES-256 encryption at rest. Layer 1: Application-layer encryption using AES-256-GCM with a per-user key managed by AWS KMS, stored in Vercel environment variables and not accessible to the database infrastructure provider. Layer 2: Supabase PostgreSQL independently encrypts all data at rest using AES-256, with the infrastructure-layer key held and managed by Supabase independently of AccompliceRE. A breach of one key store does not compromise both layers.
All data transmitted between the user's browser and the platform is encrypted using TLS 1.2 or higher. HSTS is enforced to prevent protocol downgrade attacks.
When a user's account is deleted, deleting their AWS KMS key renders all of their encrypted data permanently unrecoverable — even if the ciphertext remains in the database. This is crypto-shredding, the strongest possible form of data deletion.
AccompliceRE's document handling policy is the strictest possible: documents are processed and immediately deleted. There is no document storage. There is no document archive. There is no backup of uploaded files.
The user uploads a document (PDF, DOCX, or DOC) via the platform. The document is written to Supabase Storage in a user-scoped private folder — accessible only to the uploading user via Row Level Security. The AI extraction pipeline processes the document and receives extracted financial terms. Extracted terms are encrypted using the user's AWS KMS key and stored as ciphertext. The original document file is deleted from Supabase Storage immediately after extraction completes. No copy of the original document is retained anywhere in AccompliceRE's infrastructure.
The only data retained after document deletion is the extracted financial terms — structured data fields like base rent, lease term, TI allowance, escalation rates, and operating expenses. This data is encrypted with the user's personal KMS key and stored as ciphertext.
AccompliceRE uses the Anthropic Claude API for document extraction.
Anthropic's commercial API terms include explicit data handling commitments that are materially different from consumer AI products. API inputs and outputs are not used to train Anthropic's models. Anthropic retains API request content for up to 30 days for abuse monitoring purposes, after which it is permanently deleted. Only the text content of uploaded documents is transmitted to Anthropic. No account information, billing data, or personal information is included in AI processing requests.
AccompliceRE does not use customer data to train, fine-tune, or otherwise improve any artificial intelligence or machine learning model. This restriction applies both to AccompliceRE directly and to all subprocessors. Anthropic's commercial API terms explicitly prohibit using API content for model training.
AccompliceRE's use of AI is classified as minimal risk under the EU AI Act framework. The platform is a productivity tool that assists licensed professionals. It does not make autonomous decisions affecting fundamental rights, does not perform biometric identification, and does not engage in profiling.
Every analysis, proposal, deal, and saved comparison is tagged with the creating user's unique ID. Database queries include a hard filter on user_id that cannot be bypassed by application logic.
Supabase PostgreSQL Row Level Security is enabled on every table. RLS policies are enforced at the database level — they cannot be bypassed by application code, API bugs, or compromised credentials. Even if an attacker obtained a valid broker JWT token, they could not query another user's data.
All credentials and API keys are stored in Vercel environment variables and never committed to source code. Internal service-to-service tokens are passed via HTTP headers, never in URL parameters.
AccompliceRE maintains audit trails for security-relevant events including Terms of Service acceptance records, Stripe webhook event processing, and authentication events. Application logs are scrubbed of sensitive content — no user-submitted document text, extracted lease terms, or financial figures appear in logs. Access and security logs are retained for 12 months.
GitHub Dependabot is enabled with automated security alerts and dependency scanning across all workspace packages. Zod validation is enforced on all inputs. Content Security Policy prevents script injection. Server-only import guards prevent API key leakage. Security concerns can be reported to security@accomplicere.com.
AccompliceRE maintains procedures for detecting, investigating, and responding to security incidents. In the event of a confirmed security incident affecting customer data, customers will be notified within 72 hours as described in the Data Processing Agreement.
AccompliceRE's data processing practices comply with the California Consumer Privacy Act (CCPA/CPRA), the Texas Data Privacy and Security Act (TDPSA), the EU General Data Protection Regulation (GDPR) to the extent applicable, and applicable comprehensive state privacy laws in all jurisdictions where they apply. AccompliceRE does not sell personal information. AccompliceRE honors Global Privacy Control (GPC) and universal opt-out signals.
Full details are provided in the Privacy Policy, Terms of Service, and Data Processing Agreement, available at accomplicere.com/legal.
For security-related inquiries: security@accomplicere.com
For privacy and legal inquiries: legal@accomplicere.com
Accomplice Real Estate, LLC d/b/a AccompliceRE