Regulatory authorisations
Every framework below is relevant to at least one PropTurn audience (landlords, management companies, service partners). Pending items are in progress with the named regulator; aligned items are contractual and operational commitments already in place.
Client Money Protection authorisation
Rent, deposits and service-partner pay sit in a segregated client-money account under FCA-authorised Client Money Protection. The application is in progress; authorisation details will be published here on approval.
Making Tax Digital agent authorisation
Quarterly MTD ITSA filings and VAT submissions route through PropTurn under HMRC agent authorisation. Agent registration is in progress.
Data controller registration
PropTurn Ltd will be registered as a data controller with the Information Commissioner’s Office (UK GDPR Art. 30). Registration reference will be published here on completion.
Scotland short-term let registry
Properties managed on PropTurn in Scotland sit under the National Register of Scotland (NRS) STR registry per the Civic Government (Scotland) Act 1982 and 2022 order. Per-property licence numbers surface in the operator dashboard.
Scotland letting agent registration
Applies to operators managing long-term ASTs through PropTurn. Letting Agent Registration under the Housing (Scotland) Act 2014 is per-operator; PropTurn surfaces renewal dates in the dashboard and is registering the group entity itself.
Processor and controller obligations
PropTurn acts as data processor for operator tenants and data controller for account-holder identity and billing data. Article 28 data-processing terms are included in every operator contract. Sub-processor list is maintained at /trust#subprocessors.
Security posture
Encryption in transit
HTTPS enforced site-wide (HSTS). TLS 1.2+. Internal service-to-service traffic uses the cloud provider’s private network.
Encryption at rest
Postgres + object storage encrypted at the infrastructure layer (AES-256). Payment data never touches PropTurn servers — tokenised via Stripe.
Authentication
NextAuth v4 with hashed credentials, SAML SSO for Enterprise tiers, email-link + 2FA (TOTP) for operator accounts.
Access control
Row-level security at the database. Role-based permissions at the app (owner, manager, finance, provider). Audit log on every authenticated action.
Client money
Held in a segregated client-money account. Platform fees cannot be deducted by the operator, only released on the contractual schedule.
Backups and continuity
Daily off-site Postgres backups with 30-day retention, point-in-time recovery to any second in the last 7 days. Quarterly restore drill.
Sub-processors
The third parties PropTurn Ltd engages to deliver the service. Each is contractually bound to Article 28 data-processing terms. This list updates here before any material change takes effect.
| Sub-processor | Purpose | Region |
|---|---|---|
| Vercel | Edge + serverless hosting (Next.js) | EU |
| Supabase | Postgres, authentication, storage | EU |
| Railway | Background workers + Redis queue | EU |
| Stripe | Payments and payouts | UK / EU / US |
| Revolut Business | Ring-fenced client-money account (landlord rent, guest deposits, service-partner pay-in-flight). Held as a segregated safeguarded balance; not mixed with operational funds. | UK |
| Anthropic | AI guest messaging (zero-retention API) | US |
| Resend | Transactional email | EU |
| Sentry | Application error monitoring | EU |
Client money
Landlord rent, guest deposits and service-partner pay-in-flight are held in a segregated client-money account that PropTurn does not draw from except on the contractual schedule. If the operator running the account fails, those funds do not form part of the operator’s insolvent estate — they remain the landlord’s, guest’s or provider’s.
Pre-launch, PropTurn has signed a client-money agreement with the ring-fenced account provider and is completing the FCA CMP application. Operators onboarded before FCA approval are contractually protected by the same holding arrangement; once FCA approval lands, that agreement automatically elevates to authorised CMP.
Report a security issue
Email security@propturn.co.uk. We acknowledge inside 1 working day, triage inside 3, and credit reporters who want credit on this page when the fix ships.