How we protect the data you access.

Encryption in transit

All API connections use TLS 1.2 minimum. TLS 1.3 preferred. No unencrypted HTTP endpoints in production. HSTS enforced.

Encryption at rest

Data at rest is encrypted using AES-256. Encryption keys are managed separately from data stores. Key rotation is automated.

Access control

API keys are scoped to specific endpoints and rate-limited. Internal systems use role-based access control. Production access is MFA-gated.

Data minimization

We normalize and store the minimum data needed to serve the evidence contract. Personal data from public registries is not stored beyond what is needed for address resolution.

Audit logging

All API requests are logged with timestamp, endpoint, key identifier (hashed) and response status. Logs are retained for 90 days. No payload content is logged.

Responsible disclosure

Security vulnerabilities can be reported to security@emlakiq.com. We respond within 5 business days and follow coordinated disclosure practices.