Security

At Listing Labs, security is not an afterthought—it's foundational to everything we build. We understand that you trust us with your business data, and we take that responsibility seriously.

This document outlines our security practices, data protection measures, and how we work to keep your information safe.

In Transit: All data transmitted between your browser and our servers is encrypted using HTTPS with TLS 1.2 or higher. We use strong cipher suites and automatically redirect all HTTP traffic to HTTPS.

At Rest: All data stored in our databases is encrypted at rest using industry-standard encryption algorithms. This includes user accounts, listing data, analysis results, and all sensitive information.

Key Management: Encryption keys are managed securely with regular rotation and access limited to authorized personnel only.

Passwordless Authentication: We use magic link authentication, eliminating the risk of password theft or weak passwords. You receive a time-limited, one-time link via email to log in.

No Password Storage: We do not store passwords. By removing passwords from our authentication system, we eliminate one of the most common security vulnerabilities.

Session Security: Session tokens are cryptographically secure, httpOnly (not accessible to JavaScript), and automatically rotated to prevent session hijacking.

Token Expiration: Magic links expire after 15 minutes. Session tokens have limited lifetimes and are refreshed securely.

Multi-Factor Authentication: We are actively developing MFA options for enhanced security on Agency tier accounts.

Secure Hosting: Our infrastructure is hosted with reputable cloud providers that maintain SOC 2, ISO 27001, and other security certifications.

Network Security: Our network is protected by firewalls, intrusion detection systems, and continuous monitoring for suspicious activity.

Secure Development: We follow secure coding practices, conduct regular code reviews, and use automated security scanning tools throughout our development process.

Dependencies: We regularly update and patch all third-party dependencies to address known vulnerabilities.

Least Privilege: Our team members only have access to the systems and data required for their roles. Access is reviewed regularly.

Authentication: All internal system access requires strong authentication with logging and monitoring.

Background Checks: All employees with access to customer data undergo background checks.

Training: Our team receives regular security awareness training, including phishing prevention and data handling best practices.

Data Minimization: We collect only the data necessary to provide our service. We do not collect unnecessary personal information.

Public Data Only: We only scrape publicly available information from Airbnb and VRBO. We do not access private host dashboards, booking calendars, or personal communications.

No Data Selling: We never sell your personal data to third parties. Your data is used solely to provide and improve our service.

Right to Delete: You can request deletion of your account and all associated data at any time through your account settings.

Retention Periods:

• Active accounts: Data retained while account is active
• Deleted accounts: All personal data permanently deleted within 30 days
• Competitor data: Retained for up to 12 months after account deactivation
• Session data: Automatically deleted on logout or expiration

Secure Deletion: When data is deleted, it is securely wiped from our databases and backup systems to ensure it cannot be recovered.

Backup Retention: Backups are encrypted and retained for a limited period for disaster recovery purposes only.

24/7 Monitoring: Our systems are monitored 24/7 for security events, unusual activity, and potential threats.

Automated Alerts: We have automated alerts for suspicious login attempts, unusual API usage, and other security-relevant events.

Incident Response Plan: We maintain a documented incident response plan and regularly conduct drills to ensure our team is prepared.

Breach Notification: In the event of a data breach, we will notify affected users promptly in accordance with applicable laws and provide details on what happened and what we're doing about it.

Regular Assessments: We conduct regular security assessments, penetration testing, and code audits to identify and address vulnerabilities.

Bug Bounty Program: We encourage responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to us following the process below.

Timely Patching: When vulnerabilities are discovered, we prioritize and deploy patches quickly, often within 24-48 hours for critical issues.

If you discover a security vulnerability or have concerns about the security of our platform, please report it to us responsibly:

Email: security@drlistinglabs.com

What to Include:

• A detailed description of the vulnerability
• Steps to reproduce the issue (if applicable)
• Potential impact and risk assessment
• Screenshots or proof of concept (if appropriate)

Our Commitment:

• We will acknowledge your report within 48 hours
• We will keep you informed of our progress
• We will work with you to verify and resolve the issue
• We will credit you for responsible disclosure (with your permission)

Responsible Disclosure Guidelines:

• Do not access, modify, or delete data that is not yours
• Do not disrupt service or degrade performance for other users
• Do not use automated scanners or tools that could impact service
• Keep the vulnerability confidential until we have addressed it

Dominican Republic Law: As a Dominican Republic-based company, we comply with local data protection and cybersecurity laws.

International Standards: We align our security practices with international frameworks including ISO 27001, NIST, and GDPR principles where applicable.

Platform Policies: Our data collection methods comply with the terms of service of Airbnb and VRBO for accessing publicly available listing data.

AI Providers: We use reputable AI providers for analysis. These providers are vetted for security and are contractually obligated to protect your data.

Email Services: Our email service provider (used for magic links and notifications) is certified for security and privacy compliance.

Vendor Assessments: All third-party services undergo security assessments before integration and are regularly reviewed.

Protect Your Email: Since we use email-based authentication, securing your email account is critical. Enable 2FA on your email account if available.

Beware of Phishing: We will never ask for your password (we don't have one). Be suspicious of emails asking for sensitive information.

Use Secure Networks: Avoid logging in from public WiFi networks. If you must, use a VPN.

Keep Software Updated: Keep your browser and operating system updated with the latest security patches.

Log Out When Done: Always log out when you're finished, especially on shared or public devices.

If you have questions about our security practices or need to report a security issue, please contact us:

Security Issues: security@drlistinglabs.com

General Inquiries: support@drlistinglabs.com

Company: Listing Labs

Location: Dominican Republic

We are committed to transparency and will respond to security-related inquiries promptly.