Security & compliance

Encrypted by design, but not launch-certified yet.

Current preview mode intentionally avoids collecting real guest data. Production must complete the encryption, privacy, compliance, and legal checklist before RFJ accepts real inquiries, documents, contracts, or payments.

Encryption plan

Traffic, storage, sessions, and payments.

TLS/HTTPS for all traffic before launch; redirect HTTP to HTTPS and enable HSTS.

No raw credit card collection; Stripe-hosted invoices/checkout only.

Production database encrypted at rest with field-level encryption for sensitive PII.

HttpOnly, Secure, SameSite cookies for sessions; short-lived tokens and rotation.

Passwordless magic links or strong password hashing with Argon2/bcrypt if passwords are used.

Role-based access control for owner vs guest accounts plus audit logs for every status/data change.

Legal/compliance checklist

Needed before public launch.

Confirm Azusa rules for 30+ day furnished rentals, business license, registration, and taxes if applicable.

Confirm HOA/condo rental minimums, occupancy rules, parking rules, guest rules, and advertising restrictions.

Review California lease, deposit, fee, habitability, and required disclosure language.

Apply Fair Housing/nondiscrimination language and consistent screening criteria.

Use FCRA-compliant authorization/adverse-action workflow for background checks.

Review privacy policy, terms, accessibility, data retention, and deletion process before collecting guest data.

Plain English status

Safer than before, but not legally certified.

The site now avoids raw card collection, public admin exposure, and real guest-data storage in preview. That is good. It still needs attorney/owner review for Azusa, California, federal Fair Housing/FCRA, HOA, privacy, accessibility, and final rental-contract language before it should be treated as launch-ready.