t-agent | real estate unlocked

Information Security Policy

This policy describes the security controls, practices, and procedures that protect data and systems operated by Your KC Homes LLC.

Organization: Your KC Homes LLC

Effective Date: January 1, 2025

Last Reviewed: March 20, 2026

1. Purpose

This policy establishes the information security framework for Your KC Homes LLC to protect business data, customer information, and integrated third-party services from unauthorized access, disclosure, or loss.

This policy applies to all systems, applications, and data managed by the Company, including business financial data and bank account integrations, customer and client records, internal infrastructure and servers, and third-party API integrations (Plaid, Stripe, etc.).

All production systems require authenticated access via SSH key or VPN (Tailscale).
Network segmentation is enforced via VLANs separating production, IoT, and guest traffic.
Administrative access is limited to the business owner.
Third-party API credentials are stored in environment variables on the server, never committed to source code or version control.
API keys and tokens are rotated periodically and upon any suspected compromise.

In transit: All external communications use TLS 1.2 or higher. Encrypted tunnels provide secure remote access.
At rest: Sensitive configuration files and credentials are stored on encrypted volumes.

Confidential: API keys, bank credentials, customer PII — encrypted storage, access-controlled, no sharing.
Internal: Financial reports, transaction data — private infrastructure only, not publicly accessible.
Public: Marketing content, website pages — no restrictions.

Firewall with stateful packet inspection protects all network boundaries.
Production, management, IoT, and guest networks operate on separate VLANs.
Remote access is restricted to encrypted mesh VPN — no open ports exposed to the public internet.
Automated health checks and alerting monitor all services continuously.

OAuth tokens and API keys are stored server-side in environment variables with no client-side exposure.
Webhook endpoints validate request signatures (HMAC) where supported by the provider.
Data received from third parties (Plaid, Stripe) is stored on private infrastructure and not shared externally.
Consumer financial data is never resold, shared with, or disclosed to any third party for marketing purposes.

Detection: Automated monitoring of service health, API errors, and unusual activity with log aggregation.
Containment: Compromised credentials are revoked immediately and affected systems are isolated.
Eradication: Threats are removed and vulnerabilities are patched.
Recovery: Systems are restored from backups if needed and integrity is verified.
Notification: Affected third-party providers are notified within 72 hours of a confirmed breach. Affected individuals are notified per applicable law.

The Company is owner-operated. No employees or contractors currently have access to production systems.
If contractors are engaged, access will be provisioned on a least-privilege basis and revoked upon completion of work.

Financial data handling complies with IRS record retention requirements.
Payment processing complies with PCI-DSS via Stripe — card numbers are never directly handled.
Bank data access via Plaid complies with Plaid's data security requirements and end-user privacy policy.

This policy is reviewed annually or upon significant infrastructure changes, whichever comes first.

T-Agent | Real Estate Unlocked (Tolley AI)
Security Contact: jared@yourkchomes.com
Website: https://tolley.io