top of page

HomeAxis
Information Security Policy

HomeAxis

Information Security Policy

Effective Date

April 22, 2026

Company

Diamond Hill Ventures LLC (HomeAxis)

Contact

support@homeaxispro.com

 

1.  Overview & Scope

Diamond Hill Ventures LLC, operating as HomeAxis ('Company,' 'we,' 'us'), is committed to maintaining the security, confidentiality, integrity, and availability of all data entrusted to us by our users, partners, and integration platforms.

This Information Security Policy applies to all HomeAxis platform components, including the HomeAxis mobile application (iOS and Android), the Firebase/Firestore backend infrastructure, third-party service integrations (including Stripe, RevenueCat, and Twilio), the HomeAxis web presence, and any future KW Command API integration.

This policy governs all data processed by HomeAxis, including personal data of real estate agents, client contact information, transaction data, SMS communication logs, and community platform data.

 

2.  Data Infrastructure & Cloud Security

HomeAxis is built on Google Firebase, a fully managed cloud platform operated by Google LLC. Firebase provides enterprise-grade security infrastructure that HomeAxis leverages as its primary data store and authentication system.

Firebase/Google Cloud security measures include:

  • Data encrypted at rest using AES-256 encryption across all Firestore database collections

  • Data encrypted in transit using TLS 1.2 or higher for all communications between the mobile app and Firebase backend

  • Google Cloud infrastructure maintains SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, and PCI DSS compliance certifications

  • Firebase Security Rules enforce role-based access control at the database level — users can only read and write data explicitly permitted by their authentication role

  • Firebase Authentication provides secure user identity management with support for email/password, Google Sign-In, and Apple Sign-In

HomeAxis configures and maintains Firestore Security Rules to ensure data isolation between users, teams, and communities. No user can access another user's transaction data, client information, or community content without explicit permission grants.

 

3.  Mobile Application Security

The HomeAxis mobile application is distributed exclusively through the Apple App Store and Google Play Store. Both platforms enforce security reviews and code signing requirements before any application update is published.

  • Apple App Store Review: All HomeAxis iOS builds are reviewed by Apple prior to release, including privacy manifest review and API usage justification

  • Google Play Store Review: All HomeAxis Android builds undergo automated and manual security review by Google prior to release

  • Code signing: All application binaries are signed with platform-issued certificates, preventing tampering or unauthorized distribution

  • No sensitive data is stored in plain text on the device. Authentication tokens are stored in platform-native secure storage (iOS Keychain, Android Keystore)

  • The application does not collect data beyond what is necessary for transaction management functionality

  • The application does not access device contacts, camera, microphone, or location without explicit user consent and functional necessity

 

4.  Access Control & Authentication

HomeAxis enforces the principle of least privilege across all platform roles. Access to data is limited to what is required for each user's functional role.

  • All user accounts require email verification upon registration

  • Passwords are never stored in plaintext — Firebase Authentication handles credential management using industry-standard hashing

  • Community admin roles are explicitly assigned and cannot be self-granted by standard users

  • Team member access to shared transactions requires an explicit invitation from the team owner

  • Community membership requires a valid community join code — access is not open by default

  • Administrative access to the Firebase console is limited to authorized HomeAxis personnel only, protected by multi-factor authentication

  • Third-party API keys (Stripe, Twilio, RevenueCat) are stored as environment variables in secure server-side configurations — never exposed in client-side code or public repositories

 

5.  Third-Party Service Providers

HomeAxis uses the following third-party services to deliver platform functionality. Each provider maintains their own security certifications and compliance programs.

Provider

Purpose

Security Compliance

Google Firebase

Backend, database, authentication

SOC 1/2/3, ISO 27001, PCI DSS, GDPR compliant

Stripe

Payment processing and billing

PCI DSS Level 1 certified, SOC 1 & 2 Type II

RevenueCat

Subscription entitlement management

SOC 2 Type II certified

Twilio

SMS delivery infrastructure

ISO 27001, SOC 2 Type II, GDPR compliant

Apple App Store

iOS app distribution

Apple Developer Program security review

Google Play Store

Android app distribution

Google Play security review and scanning

 

 

6.  Data Classification & Handling

HomeAxis classifies data into three categories, each with corresponding handling requirements.

Sensitive Data — handled with highest protection:

  • User authentication credentials (managed exclusively by Firebase Authentication — never stored in Firestore)

  • Payment card data (never stored by HomeAxis — processed exclusively by Stripe)

  • Client personal information (name, phone, email) stored in Firestore with role-based access controls

Transaction Data — restricted to authorized users:

  • Transaction details, task records, milestone dates, and SMS logs are stored in Firestore and accessible only by the owning agent, explicitly invited team members, and community admins within their community scope

  • Transaction data is never shared across user accounts without explicit permission

Platform Operational Data — internal use:

  • Usage analytics and error logs are collected to improve platform performance and are not linked to personally identifiable information

 

7.  SMS Communication Security

HomeAxis enables agents to send SMS messages to their real estate clients and cobrokers through  their native devices SMS software and Twilio's messaging infrastructure. The following security controls apply to all SMS functionality.

  • SMS messages are sent exclusively to clients who have an existing representation agreement with the agent

  • Message content is logged within the agent's private transaction record in Firestore with a timestamp — accessible only by the sending agent and explicitly authorized team members

  • SMS logs are never shared with third parties except as required by law

  • Automated SMS triggers are tied to specific transaction milestones — they do not operate as a mass marketing or cold outreach tool

  • Users Native devices SMS software and Twilio handle message delivery and maintains carrier-level compliance with TCPA and CAN-SPAM regulations and are typically sent directly from users phone number

  • Agents may disable, cancel, or opt out of automated SMS on any transaction or task at any time. SMS communications are only sent upon users consent.

 

8.  KW Command API Integration Security

HomeAxis is pursuing integration with KW Command via the DevHub API program. The following security principles will govern all data exchange between HomeAxis and KW Command.

  • All API communication between HomeAxis and KW Command will use HTTPS/TLS encrypted connections

  • Authentication with the KW Command API will use OAuth 2.0 server-to-server or user-based authentication flows as specified in the DevHub documentation

  • HomeAxis will request only the minimum API scopes necessary to perform the integration functions — specifically Contacts, Opportunities, and Tasks

  • Data received from Command (contact records, opportunity data) will be stored in Firestore under the same security rules as all other HomeAxis data

  • Data pushed to Command (completed tasks, SMS logs, milestone updates) will be transmitted via the Command API and not retained separately by HomeAxis beyond the agent's own transaction record

  • KW API credentials and tokens will be stored as secure environment variables — never in client-side code or publicly accessible repositories

  • HomeAxis will comply with all data handling requirements specified in the KW Developer Platform terms of service

 

9.  Incident Response

In the event of a confirmed or suspected data security incident, HomeAxis will follow the procedure below.

  • Detection & containment: Identify the scope of the incident and take immediate steps to contain unauthorized access or data exposure

  • Assessment: Determine what data was affected, how many users are impacted, and the nature of the vulnerability

  • Notification: Notify affected users within 72 hours of confirmed breach discovery, consistent with GDPR requirements. Notify relevant regulatory authorities as required by applicable law

  • Remediation: Address the root cause, deploy security patches, and document corrective actions taken

  • Post-incident review: Conduct a root cause analysis and update security controls to prevent recurrence

Security incidents or vulnerabilities can be reported to support@homeaxispro.com. HomeAxis commits to acknowledging all security reports within 48 hours.

 

10.  Developer & Internal Access Controls

HomeAxis is currently operated by a small core team. The following controls govern internal access to production systems.

  • Firebase console access is limited to authorized personnel and protected by Google Account multi-factor authentication

  • Production database access requires explicit IAM role assignment — access is not granted by default

  • All code changes go through version-controlled repositories — no direct production code modifications

  • Third-party API keys are rotated periodically and immediately upon any personnel change

  • Access to Stripe and billing systems is limited to the company principal and is protected by multi-factor authentication

 

11.  Policy Review & Updates

This Information Security Policy is reviewed and updated at minimum annually, or whenever significant changes are made to the HomeAxis platform architecture, third-party service providers, or applicable legal requirements.

Updates to this policy will be posted at www.homeaxispro.com/information-security-policy with the effective date of the revision.

Questions regarding this policy may be directed to:

HomeAxis Security Contact Email: support@homeaxispro.com Mailing Address: PO Box 31, Cumberland, RI 02864 Phone: 1-833-694-8273

bottom of page