External audit · April 2026 · 9.0 / 10

Security & trust.

Customer data is the heartbeat of an estate agency. Thina CRM was built secure by default — and audited externally to prove it.

Compliance

Built for the South African regulator.

POPIA aligned

Every contact card carries a consent record: date, method (verbal, written, electronic, opt-in form), and per-channel opt flags for email, SMS, phone and WhatsApp. Revocations are timestamped and preserved.

FICA workflow

Buyer and seller verification status is tracked on every transaction, with a dashboard view of outstanding FICA across deals — auditor-ready and exportable.

EAAB aligned

Agent credentials (FFC number, EAAB membership) are captured on the agent profile and rendered on every customer-facing CMA and brochure.

Technical controls

Defence in depth, by default.

Owner-scoped Firestore rules

Every record carries an ownerId. Firestore security rules ensure agents see only their own data, enforced server-side. There is no client-side trust.

HMAC-signed webhooks

Inbound feeds from Property24 and partner portals require HMAC signatures. Replay protection and timestamp tolerance windows close off forged enquiries.

Hardened Content-Security-Policy

Strict CSP headers prevent script injection. No inline scripts (nonced where required). Third-party origins explicitly allow-listed.

Rate limiting on every API

Per-IP and per-user limits on every endpoint. Prevents brute-force, abuse and accidental fan-out — with response headers showing remaining quota.

Sentry monitoring

Production errors surface within seconds. Personally identifiable information is scrubbed before transport.

africa-south1 data residency

Firestore and Storage are provisioned in Johannesburg. No cross-border transfer of customer data — keeping your obligations under POPIA simple.

Responsible disclosure

Found something? We want to hear about it. Email security@thina-crm.co.za with a description and reproduction steps. We'll acknowledge within 48 hours and credit you in our security audit if you wish.

Try the live demo today.

No credit card. Sign in with Google or email, click Seed All Data, and explore a fully populated CRM in under 30 seconds.