Security and privacy

The public website and the case-work application must not be treated the same.

Reentry Address separates public information, sales inquiries, and product education from the protected workspace where authorized organizations would manage operational records.

Current boundary

This website is not a case-management system.

The public Reentry Address site explains the product and collects business inquiries. It should not receive client names, registry details, victim information, medical records, Social Security numbers, court files, or other case documents.

Public marketing site

Product information, methodology, security disclosures, and demo requests.

Current release

Controlled SafeAddress evaluation

Approved users, limited or non-identifying data, and explicit browser-storage warnings.

Controlled use only

Production organization workspace

Named users, MFA, roles, central database, audit history, private files, and organization isolation.

Production build path

Production model

Security controls should follow the person, organization, and record

An IP address can strengthen access policy, but it cannot replace named user identity.

Named login and MFA

Every user should have a unique identity. Shared accounts undermine accountability and make offboarding unreliable.

Role-based permissions

Case workers, reviewers, housing providers, auditors, organization administrators, and platform staff need different authority.

Organization isolation

Every protected record should be tied to an organization and checked server-side before it is returned.

Central protected storage

Operational records should move out of browser localStorage into encrypted, backed-up, access-controlled services.

Append-only audit trail

Record the user, organization, action, changed values, time, rule version, source versions, and review decision.

Evidence-grade reports

Generate official reports from frozen server-side inputs and preserve a hash so the result can be reproduced later.

Data minimization

Collect less. Retain less. Expose less.

A housing-screening product should not become a second criminal-history database.

Minimum identity data

Use case identifiers or initials where full identity is unnecessary for the task.

Defined retention

Records should have a business reason, owner, retention period, and deletion or legal-hold process.

Private files

Supporting documents should use private object storage and short-lived download links.

Support access controls

Platform staff access should be time-limited, logged, approved, and restricted to what support requires.

Claims we will not make

Security language has to match what is actually implemented

Trust collapses when a product claims certifications or protections it has not earned.

  • No claim of SOC 2 certification until an audit is complete
  • No claim of CJIS compliance without the required architecture, agreements, controls, and review
  • No claim of HIPAA compliance merely because some users work in health or behavioral-health settings
  • No promise that a browser-only pilot is suitable for live, multi-user case records
  • No use of “fully secure” or “enterprise-grade” as a substitute for documented controls

A clearer first step

Bring your security questionnaire early.

We would rather identify a control gap before a pilot than explain it after live data is involved.