Authentication and session integrity
The production application uses industry-standard authentication. Sessions are validated on each request, and account recovery flows are designed to reduce takeover risk.
HomePassport
Security at HomePassport
This page is written for housing providers and technical assessors. It summarises how we protect resident and organisational data on the platform.
Encryption in transit
Public endpoints are served over TLS. We maintain current certificates and disable weak protocol versions on production infrastructure.
Tenant isolation
The platform is multi-tenant. Provider and resident data is scoped logically so one organisation cannot access another’s records through normal application paths.
Operational access
Internal access to production systems is limited to staff who need it, with logging on administrative actions. Break-glass access is documented and reviewed.
Vulnerability reporting
We welcome responsible disclosure. Report issues via the security contact on the Contact page with enough detail to reproduce the concern. We aim to acknowledge reports promptly and keep reporters informed as fixes ship.
