Skip to main content

Security Best Practices

Keep your Realtor Bot account and data secure with these best practices.

Account Security

Strong Passwords

Create a strong password:

  • ✅ At least 12 characters
  • ✅ Mix of uppercase and lowercase
  • ✅ Include numbers and symbols
  • ✅ Avoid common words or patterns
  • ❌ Don't reuse passwords from other sites

Two-Factor Authentication (2FA)

Enable 2FA for extra security:

  1. Go to SettingsSecurity
  2. Click Enable Two-Factor Authentication
  3. Scan QR code with authenticator app
  4. Enter verification code
  5. Save backup codes in a secure location

Session Management

Manage active sessions:

  1. Go to SettingsSecurityActive Sessions
  2. Review logged-in devices
  3. Sign out suspicious sessions
  4. Enable Auto-logout after 30 minutes of inactivity

API Security

API Key Management

Protect your API keys:

  • Never commit keys to version control
  • Rotate keys regularly (every 90 days)
  • Use environment variables for keys
  • Limit key permissions to minimum required
  • Don't share keys via email or chat

Creating API Keys

  1. Go to SettingsAPI Keys
  2. Click Create New Key
  3. Set permissions:
    • Read-only
    • Read/Write
    • Admin
  4. Set expiration date
  5. Copy key immediately (shown only once)

Revoking Keys

If a key is compromised:

  1. Go to SettingsAPI Keys
  2. Find the compromised key
  3. Click Revoke
  4. Create a new key
  5. Update all integrations

Integration Security

OAuth Connections

When connecting integrations:

  • Review permissions before authorizing
  • Use official OAuth flows only
  • Revoke unused integrations regularly
  • Monitor integration activity in logs

Webhook Security

Secure your webhooks:

  1. Use HTTPS only - Never use HTTP
  2. Verify signatures - Validate webhook signatures
  3. Whitelist IPs - Restrict to known IP addresses
  4. Use secrets - Include secret tokens in headers

Example webhook verification:

const crypto = require('crypto');

function verifyWebhook(payload, signature, secret) {
  const hash = crypto
    .createHmac('sha256', secret)
    .update(payload)
    .digest('hex');
  
  return hash === signature;
}

Data Protection

Sensitive Data

Handle sensitive information carefully:

  • Encrypt at rest - All data encrypted in database
  • Encrypt in transit - HTTPS for all connections
  • Mask in logs - Hide sensitive data in logs
  • Limit access - Role-based permissions

Data Retention

Configure data retention policies:

  1. Go to SettingsData Retention
  2. Set retention periods:
    • Conversation logs: 90 days
    • Lead data: 2 years
    • Analytics: 1 year
  3. Enable automatic deletion

Data Export

Export your data securely:

  1. Go to SettingsData Export
  2. Request export
  3. Receive encrypted download link via email
  4. Download within 24 hours
  5. Delete file after download

Team Security

User Roles

Assign appropriate roles:

  • Admin - Full access to all features
  • Manager - Manage bots and workflows
  • Agent - View assigned leads only
  • Viewer - Read-only access

Inviting Team Members

  1. Go to SettingsTeam
  2. Click Invite Member
  3. Enter email address
  4. Select role
  5. Set permissions
  6. Send invitation

Removing Access

When team members leave:

  1. Go to SettingsTeam
  2. Find the user
  3. Click Remove
  4. Transfer their data to another user
  5. Review and revoke any API keys they created

Compliance

GDPR Compliance

For EU customers:

  • Obtain consent before collecting data
  • Provide privacy policy link
  • Honor deletion requests within 30 days
  • Allow data export in machine-readable format

CCPA Compliance

For California customers:

  • Disclose data collection practices
  • Allow opt-out of data selling
  • Provide data access upon request
  • Delete data upon request

CAN-SPAM Compliance

For email communications:

  • Include unsubscribe link in all emails
  • Honor opt-outs within 10 days
  • Use accurate sender information
  • Include physical address in footer

Monitoring & Alerts

Security Alerts

Enable alerts for:

  • Failed login attempts (5+ in 10 minutes)
  • New device logins
  • API key usage spikes
  • Unusual data access patterns
  • Integration disconnections

Audit Logs

Review audit logs regularly:

  1. Go to SettingsAudit Logs
  2. Filter by:
    • User
    • Action type
    • Date range
  3. Export logs for compliance

Incident Response

If you suspect a security breach:

  1. Immediately change your password
  2. Revoke all API keys
  3. Review audit logs for suspicious activity
  4. Contact support at security@realtorbot.app
  5. Document the incident

Best Practices Checklist

  • ✅ Enable two-factor authentication
  • ✅ Use strong, unique passwords
  • ✅ Rotate API keys every 90 days
  • ✅ Review team access quarterly
  • ✅ Monitor audit logs weekly
  • ✅ Keep integrations up to date
  • ✅ Train team on security practices
  • ✅ Have incident response plan

Resources