A
Abodex

Authentication & Security Disclosure

Last updated: 11 April 2026  ·  Abodex Ltd

Abodex is committed to transparency about how we authenticate users and protect your account. This disclosure explains our authentication system, security measures, and your rights regarding account data.

1. Authentication System Overview

Abodex uses OAuth 2.0 — an industry-standard, open authorisation protocol — for user authentication. We do not store passwords. Instead, authentication is delegated to a trusted identity provider, which verifies your identity and issues a secure token that we use to create your session.

This approach means:

  • Your password is never transmitted to or stored by Abodex
  • Authentication is handled by a dedicated, security-hardened identity service
  • Your credentials are protected by the security infrastructure of the identity provider
  • We receive only the minimum necessary information (name, email, unique identifier)

2. Session Management

Upon successful authentication, Abodex creates a secure server-side session. Your session is maintained using a signed HTTP-only cookie with the following security properties:

  • HttpOnly: The cookie cannot be read by JavaScript, protecting against cross-site scripting (XSS) attacks
  • Secure: The cookie is only transmitted over HTTPS (encrypted) connections — never over plain HTTP
  • SameSite: Configured to prevent cross-site request forgery (CSRF) attacks
  • Cryptographically signed: The session token is signed using a secret key (JWT_SECRET) to prevent tampering or forgery
  • Expiry: Sessions expire automatically after a period of inactivity

3. Data Collected During Authentication

When you sign in to Abodex, we collect and store the following information:

  • OpenID / Unique identifier: A unique, opaque identifier assigned by the identity provider
  • Display name: Your name as provided by the identity provider
  • Email address: Your email address (used for account management and notifications)
  • Login method: The authentication method used (e.g., "manus")
  • Last sign-in timestamp: The date and time of your most recent login
  • Account creation timestamp: When your account was first created

We do not collect or store passwords, payment card details, government ID numbers, or biometric data during authentication.

4. Role-Based Access Control

Abodex implements role-based access control (RBAC) to ensure users can only access features appropriate to their account type:

  • User (default): Can search properties, save favourites, submit enquiries, and manage their profile
  • Advertiser: Can access the advertiser portal, create ad campaigns, and view performance metrics
  • Admin: Full platform access including analytics, content management, and user administration

Role assignments are stored securely in our database and verified on every protected request. Admin access is restricted to authorised personnel only.

5. API Security

All API requests are routed through our tRPC API layer, which:

  • Validates authentication on every protected procedure call
  • Enforces role-based permissions at the procedure level
  • Validates and sanitises all input data using strict schema validation (Zod)
  • Returns typed, structured responses to prevent data leakage
  • Logs all authentication events for security monitoring

6. Data Storage and Security

Your account data is stored in a managed, encrypted database hosted in a secure cloud environment. We implement:

  • Encryption at rest for all stored data
  • Encryption in transit (TLS 1.2+) for all data transmissions
  • Regular automated backups
  • Access controls limiting database access to authorised systems only
  • Security monitoring and anomaly detection

7. Browser Compatibility Notice

Our authentication system requires browser cookie support. The following browser configurations may prevent authentication from working correctly:

  • Safari Private Browsing mode (blocks cross-site cookies)
  • Firefox with Strict Enhanced Tracking Protection enabled
  • Brave browser with Aggressive Shields enabled
  • Any browser or extension that blocks all third-party cookies

If you experience sign-in issues, try using a standard browser window without privacy extensions, or contact our support team.

8. Account Deletion

You have the right to request deletion of your account and all associated personal data. To request account deletion, contact us at [email protected] with the subject line "Account Deletion Request". We will process your request within 30 days and confirm deletion in writing.

9. Security Incident Reporting

If you discover a security vulnerability or suspect unauthorised access to your account, please report it immediately to [email protected] with the subject line "Security Report". We take all security reports seriously and will respond within 24 hours.

10. Contact

For questions about our authentication system or account security, contact us at [email protected].

© 2026 Abodex Ltd. All rights reserved.

Privacy PolicyTerms of ServiceDisclaimerContact Us

We value your privacy

Abodex uses cookies to enhance your experience

We use cookies and similar technologies to provide our services, personalise content, analyse traffic, and serve relevant advertising. By clicking "Accept All", you consent to our use of cookies as described in our Cookie Policy. You can manage your preferences at any time.