Security

Security Overview

theCREmodel keeps one shared security model across tenant and landlord workflows. Representation mode changes product behavior, not authorization boundaries, data ownership, or storage rules.

Shared authorization boundary
Client-scoped workspace isolation
Canonical production host

Shared Security Boundary

Authentication + Access

Protected actions rely on authenticated user context, server-side verification, and account-scoped access controls before workflows, exports, or storage operations run.

Workspace Isolation

Documents, deals, surveys, obligations, reminders, tasks, activities, and CRM state stay attached to the active client workspace so one account cannot read another account’s records.

Representation Mode Controls

Representation mode is an adaptive UX layer. It changes onboarding, dashboards, default views, AI suggestions, reminders, templates, exports, and workflow emphasis while leaving the shared data model untouched.

Dashboard hierarchy updates that surface command metrics, grouped insights, and drill-down workspaces are presentation-only changes and do not alter authorization, workspace isolation, or storage boundaries.

CRM intake building autocomplete and add-building actions still write into the same client-scoped building records, so this workflow change does not expand access or bypass existing workspace protections.

Shared CoStar Excel imports publish into a platform-wide market inventory source for building reference data only. They do not expose client documents, deals, surveys, obligations, or workspace-specific overrides, and upload access still requires authenticated user context.

Manual stacking-plan edits, floor and suite records, and optional economics still persist inside the same client-scoped CRM state and occupancy records, so lease economics remain governed by the existing workspace boundary and audit path.

The dedicated Buildings module reads shared market inventory for common building reference data, while focused-building context, stack-plan edits, suite records, and downstream workflow handoffs remain client-scoped.

Intentional document and building deletions now persist as client-scoped workspace tombstones, which prevents stale local or cloud snapshots from resurrecting records a user explicitly removed.

Suite-level selection inside Buildings can create survey rows from the active client workspace only. Those handoffs do not publish private suite economics globally and continue to inherit the same client-scoped survey storage boundary.

Financial Analysis handoff from Buildings uses the same client-scoped pending-scenario storage path as the existing analysis module, so selected suites are staged for the active workspace only and do not leak into other clients or users.

Shortlist and tour workflow records created from Buildings persist in the same client-scoped CRM workspace state as deal notes, stack edits, and reminders, so those actions stay isolated to the active client and remain covered by the existing audit path.

The new deal-room layer stores overview metadata, current-location constraints, negotiation trackers, and client-portal settings inside the same client-scoped deal record. It does not create a second transaction store or broaden cross-client visibility.

The dedicated CRM shortlist and tour boards are presentation and workflow-management layers over those same client-scoped records. They do not introduce a new storage boundary or a separate cross-client dataset.

Inline board edits for attendees, tour notes, and follow-up actions still write into the same client-scoped CRM workflow records, and AI tour-brief or proposal-request actions only read from the active workspace context before logging their result.

Drag-and-drop status movement on shortlist and tour boards is only a UI interaction for changing the same client-scoped workflow status fields. It does not create a separate workflow store or bypass existing deal audit history.

Inline shortlist owners and tour assignees persist inside the same client-scoped CRM workflow records as the rest of the board state, so responsibility can be updated without creating a second assignment system or expanding access boundaries.

Saved board views can now be stored either for the active deal or as team-wide client views. Team-wide views still only persist reusable filters for the current client workspace and do not publish private CRM slices across clients or accounts.

Team-wide board views are now role-aware. Users without a sharing-capable role can still load applicable shared views for their client team, but they cannot overwrite or delete the shared view definitions.

Client Access and Client View toggles in the deal room are presentation controls only. They determine which curated transaction summary is exposed to approved client contacts; they do not bypass authentication, change workspace ownership, or reveal internal-only notes by default.

Bulk reassignment on shortlist and tour cards updates the same underlying client-scoped workflow records one time per selected card. It does not create hidden secondary queues or bypass the normal audit history.

AI-generated post-tour recap drafts remain workspace-bound until a user explicitly sends them. The send action now goes through an authenticated backend route, and logging a recap into deal activity writes a new timeline event inside the same deal record and follows the existing audit path.

Automatic stacking-plan updates are limited to current lease, amendment, abstract, and sublease uploads. Proposal, LOI, and counter documents remain non-authoritative for occupancy so speculative deal motion cannot overwrite live building stack data.

Tenant Rep

Tenant mode changes workflow emphasis and reminders only; shared security and data boundaries stay intact.

Landlord Rep

Landlord mode changes leasing-console behavior and reporting emphasis only; shared security and client boundaries remain unchanged.

Shared Data + AI Controls

  • The shared entity graph keeps companies, contacts, buildings, suites, leases, obligations, deals, proposals, analyses, surveys, activities, and tasks inside one governed architecture.
  • The shared document system uses one client-scoped library for uploads, parsing, linking, and cross-module workflows.
  • Openable file payloads for supported uploads can be cached locally in the originating browser to preserve reopen behavior after refresh, while cloud sync continues to store compact document metadata rather than broadening cross-client file exposure.
  • When a Financial Analyses document retains a local file payload but is missing a parsed snapshot, the app can re-normalize that file inside the authenticated workspace flow to restore comparison inputs without expanding the storage boundary beyond that browser and client workspace. The same scoped rule now applies whether the document entered through the extract widget or the tab-wide drag-and-drop ingestion path.
  • Financial Analyses intake now requires validated core lease fields before a document is treated as parsed, and saved extraction snapshots are automatically repaired on reopen so stale confidence or outdated review flags do not reintroduce bad scenarios or unnecessary manual gates. The presentation-ready comparison workspace still operates inside the same authenticated client workspace rather than splitting document actions into a separate unsecured flow.
  • The simplified CRM landing page is a presentation-layer change only. The start-here flow, compact priority queue, and expandable advanced workspace still read and write the same client-scoped CRM records, deal boards, reminders, and building intelligence data.
  • The shared AI orchestration layer interprets prompts differently by mode, but tool execution, audit logging, and workspace boundaries remain the same.
  • The shared export pipeline applies one authorization path for PDF, spreadsheet, and share-link generation regardless of mode.

Operational Safeguards

  • Production traffic is pinned to thecremodel.com through canonical-host controls.
  • Lease uploads keep file-type checks, timeout handling, OCR guardrails, and user-safe error messaging in place before processing continues.
  • The Financial Analyses extractor now validates RSF, term, and rent schedule coverage before auto-adding a scenario, which reduces the chance of incomplete lease math entering downstream reports.
  • DOCX proposal normalization now also handles option-driven Word layouts with heading-based parsing, embedded-RFP landlord response files, and bounded rent-step reconstruction, which improves extraction coverage without widening document access beyond the existing authenticated upload path.
  • Normalization guardrails preserve explicit carry-forward economics cues, so clauses that point back to the existing lease structure can be modeled without letting speculative proposal language overwrite unrelated protected records.
  • Contact and proof endpoints continue to use same-origin application routes so browser-facing support flows stay aligned with the live production domain.

Auditability

AI-triggered actions, workflow changes, reminders, tasks, exports, and linked-record updates are recorded in centralized logs so teams can review operational history and understand how a workspace changed over time.

Storage + Transmission

Data is transmitted over HTTPS/TLS. Persisted records and files rely on managed encryption at rest, and account-scoped settings continue to use row-level isolation controls where supported.

Report a Concern

Report security concerns to info@thecremodel.com.