Security & Trust
Your data security is our priority. We protect every interaction with encryption, strict access controls, and compliance with Singapore's data protection laws.
PDPA Compliant
Full compliance with Singapore's Personal Data Protection Act 2012
PCI DSS via Stripe
Payment data secured by Stripe, a PCI Level 1 Service Provider
SOC 2 Certified Infrastructure
Hosted on infrastructure audited to SOC 2 Type II standards
CSA Cyber Essentials
Aligned with Singapore's Cyber Security Agency baseline standards
How We Protect Your Data
Security is built into every layer of our platform, from network transport to database storage.
Encryption in Transit
All data transmitted between your browser or app and our servers is protected with TLS 1.3 (256-bit encryption). Every connection uses HTTPS — no exceptions.
Encryption at Rest
Your data is stored on encrypted volumes using AES-256 encryption. Database backups and file storage are encrypted by default through our infrastructure providers.
Data Residency in Singapore
Our primary database and storage infrastructure are hosted in the Asia-Pacific (Singapore) region (ap-southeast-1), keeping your data close and subject to Singapore law.
Authentication & Access Control
We use industry-standard authentication with secure OTP verification, session management, and row-level security (RLS) policies ensuring users can only access their own data.
Input Validation & Sanitisation
Every user input is validated using strict schemas before processing. We use parameterised queries to prevent SQL injection and sanitise all outputs to prevent cross-site scripting (XSS).
Rate Limiting & Abuse Prevention
API endpoints are protected with rate limiting to prevent abuse. Automated vulnerability scanners and malicious bots are blocked at the edge.
Compliance & Certifications
We meet and exceed the regulatory requirements for operating a digital platform in Singapore.
PDPA Compliant
We collect, use, and disclose personal data only with consent and for legitimate purposes. You can request access to, correction of, or deletion of your personal data at any time.
PCI DSS via Stripe
We never store, process, or transmit credit card data on our servers. All payment processing is handled by Stripe, which maintains the highest level of PCI DSS compliance (Level 1).
SOC 2 Certified Infrastructure
Our cloud providers (Supabase/AWS and Vercel) maintain SOC 2 Type II certification, ensuring controls for security, availability, processing integrity, and confidentiality are independently audited.
CSA Cyber Essentials
Our security practices are aligned with CSA's Cyber Essentials framework, covering asset management, secure access, software updates, malware protection, and incident response.
Your Data, Your Rights
What personal data do you collect?
We collect only what is necessary to provide our services: your name, email, phone number (for account verification), property search preferences, and usage analytics. We do not sell your data to third parties.
How long do you keep my data?
Active account data is retained while your account is open. If you delete your account, personal data is purged within 30 days. Anonymised analytics may be retained for product improvement. Transaction records are retained as required by law.
Can I request my data or ask for deletion?
Yes. Under the PDPA, you have the right to access, correct, or delete your personal data. Contact our Data Protection Officer at dpo@homejourney.sg and we will respond within 30 business days.
Do you share data with third parties?
We share data only with service providers who need it to deliver our services (e.g., Stripe for payments, Supabase for database hosting). All third parties are bound by data processing agreements. We never sell personal data.
How do you handle data breaches?
In the unlikely event of a data breach, we will notify affected users and the Personal Data Protection Commission (PDPC) within 3 calendar days, as required by the PDPA. We maintain an incident response plan that is reviewed regularly.
Data Protection Officer
If you have questions about how we handle your personal data, or wish to exercise your rights under the PDPA, contact our Data Protection Officer.
Homejourney Pte. Ltd. (UEN: 202406236N) is registered in Singapore.
Last updated: March 2026