Security at SEAREI.
What we do, what we don’t, and what’s on the roadmap. Updated May 2026.
Authentication.
Cookie-first JWT with double-submit CSRF tokens. Password requirements: 12 characters minimum, no recent breach hash matches. Sessions expire after 30 days of inactivity.
Encryption.
TLS 1.3 in transit. AES-256 at rest in S3. HTTPS-only across all SEAREI domains.
Tenancy.
Each organization’s listing photos and compliance artifacts are isolated by org ID at the bucket-policy and database-row level. Cross-tenant reads return 403, never 404.
PII handling.
Sentry runs with send_default_pii=False. PostHog product analytics never receive customer photos or listing details. Anthropic Claude (used for AI staging generation) does not train on customer photos under our enterprise terms.
Sub-processors.
AWS S3 (storage and hosting), Stripe (payment processing), Anthropic (AI staging generation), Sentry (error tracking), PostHog (product analytics). Full DPA available on request.
2FA.
Roadmap. Targeted Q3 2026.
What’s not in v1.
SOC 2 Type II is not yet certified — targeted 2027. Customer-managed encryption keys are not in v1. Single-tenant deployments are not offered. We will not silently change this list; updates are dated and shipped.
Security questions and review requests: security@searei.com.
Need a security review call?
For architecture, encryption, or sub-processor questions, schedule 15 minutes with Sam. For everything else, security@searei.com gets routed within one business day.