Information Security Policy

Effective date: May 15, 2026

Scope: This policy describes the technical and operational controls that apply to information handled in the course of operating peeklisting.com (the "Site") and Peek's listing-video rendering pipeline. It is written to reflect current operations honestly, not to project a future-state posture.

1. Operator

Peek is operated by Scott Allen, an individual doing business as Peek ("Peek," "we," "us," or "our"). All controls described below are administered by this single operator. There are no employees, contractors, or other personnel with administrative access to production systems at this time.

2. Data handled

Peek currently operates as a demonstration property with no user accounts, no upload functionality, and no paid services. The categories of information handled today are limited to:

• Standard web-server logs for the Site (IP address, user-agent, request path, timestamp), collected by the hosting provider.
• Voluntarily provided email content sent to hello@peeklisting.com or related addresses.
• Publicly listed real-estate content (photos, descriptions, addresses) scraped from public listing pages for sample-video generation. No private agent data, broker data, or MLS-restricted data is collected.

Peek does not collect payment information, government identifiers, biometric data, health information, or any other category of sensitive personal information.

3. Access control

• Administrative access to all production systems is held by the single operator named in Section 1.
• Multi-factor authentication is enabled on all critical accounts, including hosting (Cloudflare), email, source control (GitHub), and third-party API providers.
• Credentials are not shared across services or stored in plaintext.
• Production access is not delegated to any third party.

4. Encryption

• In transit. TLS 1.2 or higher is enforced for all traffic to peeklisting.com and videos.peeklisting.com. Internal calls to third-party service APIs use the provider's TLS-enforced endpoints.
• At rest. Stored assets (sample videos, source media) are held in encrypted object storage with provider-managed encryption keys (Cloudflare R2).
• Email. Inbound and outbound mail is encrypted in transit via standard TLS; at-rest encryption is provided by the email provider.

5. Endpoint and source security

• The rendering pipeline executes in containerized environments. Production code is held in private source-control repositories with branch protections and required reviews on protected branches.
• Development endpoints used to operate Peek are protected by full-disk encryption, automatic operating-system updates, and screen-lock policies.
• Secrets (API keys, tokens) are stored in environment variables and never committed to source control.

6. Backups and retention

• Source code and operational configuration are version-controlled and replicated to cloud-hosted repositories.
• Sample-video assets are reproducible from source and re-renderable on demand; no separate backup of generated media is maintained.
• Email correspondence is retained per the email provider's default policy.
• No customer data is retained today, because none is collected.

7. Sub-processors

Peek relies on a small set of third-party service providers to operate the Site and pipeline. They fall into the following categories:

• Infrastructure and content delivery – hosting, DNS, CDN, encrypted object storage, source-control hosting. All providers in this category are established platforms with publicly available security documentation.
• AI services – text generation and speech synthesis used during the rendering pipeline. Providers in this category receive only the data necessary to complete a single rendering task and do not retain content beyond their stated retention policies.
• Email – inbound and outbound mail handling.

Specific provider identities, contractual terms, and data-handling arrangements can be disclosed to commercial partners under a mutual non-disclosure agreement during integration evaluation.

Peek will update partners on the relevant provider stack before any sub-processor handles partner or customer data, and will execute any required data-processing agreements before partner data is exchanged.

8. Incident response

In the event of a confirmed security incident affecting information handled by Peek:

• The operator will investigate and contain the incident as promptly as reasonably possible, with a target of confirmation and initial response within 24 hours.
• Affected parties will be notified by direct email within a reasonable time frame, typically within 72 hours of confirmation.
• For partners or customers with whom Peek has executed a separate incident-notification commitment, that commitment governs.

Reports of suspected security issues can be sent to privacy@peeklisting.com with the subject line "Security Report."

9. Partner data handling

Peek does not currently process partner-provided data. When a commercial partnership requires Peek to handle partner data (for example, agent profiles, listing data, or other information supplied through an integration), the following controls will be implemented before partner data is exchanged:

• A written data-processing agreement (DPA) governing the scope of data exchanged, retention, and deletion.
• An updated sub-processor list specific to the partner relationship.
• Partner-specific access governance and, where required, segregation of partner data from other operational data.
• Any additional controls required by the relevant partnership agreement or by applicable law.

10. Review and updates

This policy is reviewed at least annually and revised as Peek's operations evolve. The effective date above reflects the current version. Material changes will be published on the Site for a reasonable period before they take effect.

11. Contact

Questions about this policy can be sent to privacy@peeklisting.com.