Trust & Security Center — GracyRein Florida

1. Overview

Security and data integrity are foundational to everything GracyRein builds. Our guests, property owners, and management partners trust us with sensitive information — access codes, financial data, personal contact details — and we treat that responsibility as non-negotiable.

This page describes the technical, organizational, and procedural safeguards we maintain across our platform.

🔒

Encryption

TLS 1.3 for all data in transit
AES-256 for data at rest
End-to-end encryption for access codes shared with guests

✉️

Email Authentication

SPF record authorizing Mailgun infrastructure
DKIM with 2048-bit key signing
DMARC enforced at p=reject
Full domain alignment on all outbound mail

☁️

Infrastructure

AWS US-East-1 with multi-AZ redundancy
Auto-scaling for peak booking seasons
Dedicated sending IP via Mailgun
99.97% measured platform uptime

📊

Monitoring

24/7 uptime and delivery monitoring
Automated alerting for bounce/complaint spikes
Volume anomaly detection (alerts at 2× baseline)
Monthly compliance review of sending patterns

2. Security Practices

Access Controls

RBAC: Role-based access control across the entire platform. Team members receive only the minimum permissions required for their role.
MFA: Multi-factor authentication is mandatory for all GracyRein employees and is available (and encouraged) for Client accounts.
Session Management: Automatic session expiration after 30 minutes of inactivity. Session tokens are rotated on privilege escalation.

Data Protection

All databases are encrypted at rest using AES-256
Backups are encrypted and stored in a separate AWS region
Sensitive fields (access codes, payment references) are additionally encrypted at the application layer
Development and staging environments use synthetic data — never production data

Application Security

Automated dependency scanning via Dependabot
Static Application Security Testing (SAST) in CI/CD pipeline
Annual penetration testing by an independent third party
Security-focused code review for all pull requests touching auth, billing, or email modules

3. Infrastructure Details

Cloud Hosting

The Platform is hosted on Amazon Web Services (AWS) US-East-1 (Northern Virginia) with multi-Availability-Zone deployment for high availability. Auto-scaling groups handle seasonal traffic surges during Florida's peak vacation seasons without degradation.

Email Delivery

Provider: Mailgun (Sinch) — SMTP relay
Dedicated IP: Warm-up completed; reputation score monitored daily
Average Daily Volume: ~11,500 transactional emails
Complaint Rate: Consistently < 0.04%
Bounce Rate: Maintained below 1.6%
Authentication: SPF + DKIM (2048-bit) + DMARC (p=reject)

4. Incident Response

GracyRein follows a five-step incident response process:

Detection — Automated monitoring and alerting (within minutes)
Triage — On-call engineers classify severity and assemble the response team (within 30 minutes for critical incidents)
Containment — Isolate affected systems to prevent further impact
Remediation — Apply fixes, restore services, and verify resolution
Post-Incident Review — Root cause analysis within 5 business days; findings documented and preventative measures implemented

GDPR Data Breach Notification: We notify the relevant supervisory authority within 72 hours of confirming a personal data breach. Affected individuals are notified without undue delay when the breach is likely to result in a high risk to their rights.

5. Logging & Audit Trail

Log Type	Retention	Details
Email delivery logs	90 days	Recipient (hashed), message type, delivery status, timestamp
User access logs	12 months	Login events, IP address, actions performed
Template change logs	12 months	Who changed, what changed, approval status
Configuration change logs	12 months	Setting modifications (sending rules, rate limits, routing)

All logs are stored in tamper-evident storage. Export is available on request for compliance review.

6. Compliance

GracyRein maintains compliance with the following regulations and frameworks:

GDPR — General Data Protection Regulation (EU)
CCPA — California Consumer Privacy Act
CAN-SPAM Act — US federal email law
CASL — Canada's Anti-Spam Legislation

For details on data handling, see our Privacy Policy. For email-specific policies, see our Acceptable Use Policy.

7. Email Practices — Detailed

This section expands on the email safeguards summarized on our main page.

Recipient Verification

Every recipient must have a verified email address. Staff and managers verify via confirmation link during registration. Guest emails are validated through the booking channel. Disposable email domains are flagged for review, and known invalid domains are rejected outright.

Suppression List Management

Our global suppression list is updated in real time from three sources: hard bounces, spam complaints (via FBL), and manual removal requests. The suppression list is consulted before every outbound send. Addresses on the list are never contacted again unless the recipient explicitly re-subscribes through a verified flow.

Bounce & Complaint Workflows

Hard Bounce: Address is immediately and permanently suppressed
Soft Bounce: Retried 3 times over 24 hours; if all retries fail, the address is suppressed
Spam Complaint: Address is instantly suppressed; complaint is logged and triaged by operations within 4 hours

Feedback Loop (FBL) Monitoring

We are enrolled in FBL programs with major ISPs (Gmail, Yahoo/AOL, Microsoft). Complaint data feeds back into our suppression engine within minutes. Monthly complaint triage reports are reviewed by the compliance team.

Rate Limiting & Anomaly Detection

Per-account and per-template rate caps prevent unexpected volume surges. Our anomaly detector compares current sending against a rolling 7-day baseline; any spike exceeding 2× the norm automatically pauses sending and alerts the operations team for manual review.

RBAC for Sending

Only users with the Admin role can create or modify email templates, adjust sending rules, or change routing configurations. All such changes require peer approval (second Admin or designated approver). Changes are logged with timestamp, user identity, and diff.

Audit Trail for Templates & Rules

Every template edit, sending-rule change, or suppression-list override is recorded in an immutable audit log retained for 12 months. Access logs (who viewed/exported delivery data) are retained for the same period.

Reporting Abuse

If you believe you received an unwanted message from a GracyRein-powered notification, please contact abuse@gracyreinflorida.com. We investigate every report within one business day.

8. Responsible Disclosure

We welcome responsible security research. If you discover a vulnerability:

Email security@gracyreinflorida.com with a detailed description
Include steps to reproduce, potential impact, and any proof-of-concept
We will acknowledge receipt within 48 hours
Assessment and initial response within 5 business days
We will not pursue legal action against researchers acting in good faith

9. Contact

For security or trust-related inquiries:

Security & Compliance Team
GracyRein Florida, Inc.
2740 Ponce de Leon Blvd, Suite 210
Coral Gables, FL 33134
Email: security@gracyreinflorida.com
Phone: +1 (786) 429-3187