HomeVision resource
Security
How HomeVision protects your workspace, customer data, connected accounts, and payments.
Last updated: June 27, 2026
Contractor teams trust HomeVision with leads, customer details, project scopes, proposals, schedules, connected account data, and payment activity. This page outlines the controls and practices we use to keep that information safe. Security is a shared responsibility: we maintain the platform, and account administrators control who in their workspace has access to what.
Account access
- Owner accounts sign in with Google, which enforces the security settings configured on your Google account (including 2-step verification when enabled).
- Team and portal users sign in with credentials issued by their workspace administrator and can be deactivated at any time.
- Role-based access lets administrators control which modules and records each user can see, edit, or share.
- Session controls keep authenticated sessions scoped to the user and the workspace they signed into.
Data in transit and at rest
- All connections to the marketing site, application, mobile experience, and public customer-facing links are encrypted with HTTPS / TLS.
- Customer Data is stored in managed databases and object storage with encryption at rest provided by our cloud infrastructure.
- Authentication credentials and tokens are protected using industry-standard hashing, encryption, and secret-management practices.
Connected account and OAuth token security
HomeVision does not ask for or store your Google account password. When you connect Google Calendar, Google issues OAuth tokens that allow HomeVision to operate the Calendar sync feature you authorized.
- OAuth access and refresh tokens are encrypted at rest.
- Calendar and token requests are transmitted over HTTPS / TLS.
- Production access is limited to authorized systems and personnel who need access to operate, support, or secure the Services.
- Disconnecting Google Calendar marks the connection inactive and clears stored OAuth access and refresh tokens from HomeVision.
- Limited sync logs and metadata may be retained only as needed for troubleshooting, security, legal compliance, backup integrity, and service operations.
- Google Calendar data is used only to provide and secure the Calendar sync feature. It is not sold, used for advertising, used for credit or lending decisions, or used to train generalized artificial intelligence or machine-learning models.
Payments
Online payments collected through HomeVision are processed by a third-party PCI-DSS compliant payment processor. Full payment card numbers are not stored on HomeVision systems; we retain only the metadata needed to display transaction status to contractors and homeowners (such as amount, last four digits, and processor reference identifiers).
Infrastructure and hosting
- HomeVision runs on major cloud infrastructure providers that maintain industry security certifications for their underlying platforms.
- Workloads are isolated, and production access is limited to authorized personnel for maintenance, support, and incident response.
- Internal access to production systems requires authenticated sessions and is monitored.
Backups and availability
We perform regular backups of production data and monitor system health continuously. We design for resilience but do not guarantee uninterrupted service. Status, availability, and maintenance windows are communicated to administrators as needed.
Software security practices
- Source code is maintained in version control with peer review for changes that affect customer-facing systems.
- We use automated tests and review processes to reduce the risk of regressions before changes reach production.
- Dependencies are reviewed and updated to address known vulnerabilities.
- Secrets, API keys, and credentials are managed outside of source code.
Vendors and subprocessors
We use vetted third-party providers for cloud hosting, email delivery, analytics, error monitoring, payments, and similar functions. These vendors are bound by agreements that limit how they may use information shared with them in connection with the Services.
Customer responsibilities
Account administrators play an important role in keeping workspaces secure. We recommend:
- Enabling 2-step verification on Google accounts used for sign-in.
- Reviewing user access on a regular cadence and removing access for people who have left the team.
- Assigning roles and permissions based on what each team member needs to do their work.
- Treating customer-facing links (proposals, invoices, booking pages) as sensitive and only sharing them with the intended recipient.
- Disconnecting integrations that are no longer needed and reviewing connected Google account permissions regularly.
Reporting a security concern
If you believe you have found a vulnerability, an exposed credential, or any other security issue, please email security@homevisions.ai with details and reproduction steps. We appreciate responsible disclosure and will acknowledge legitimate reports.