Security practices

Encryption at rest

All API credentials, OAuth tokens, and sensitive keys stored in MLS Genie™ are encrypted at rest using industry-standard authenticated encryption. Plain-text credentials are never stored in the WordPress options table.

OAuth 2.0 only

All third-party integrations use OAuth 2.0 or equivalent token-based authentication. No plain-text passwords are ever transmitted or stored for integrations.

Managed hosting included

Every MLS Genie™ site runs on SOC 2 Type II certified managed hosting — included in your subscription. Your database, your files, and your content are yours. If you ever cancel, you take the full WordPress install to any host you choose.

Capability-based access

Every admin action in MLS Genie™ is gated by WordPress capabilities (mlsg_manage, mlsg_agent, etc.) — not just role checks. Agents can only access what they're assigned to.

Vendor names never exposed

Service provider names are never shown on any user-facing surface. Your clients see only your brand. Credentials are stored encrypted and retrieved only server-side.

Nightly security scans

All MLS Genie™ installations include real-time malware scanning, login protection, and security hardening. Nightly automated scans run on every site — included in our setup service.

HTTPS enforced

All MLS Genie™ installations are configured with HSTS and enforced HTTPS. Security headers are set during onboarding. Mixed content is blocked. All API calls are TLS-only.

Session management

Admin sessions use WordPress nonces on every AJAX action. GenieCRM uses our MLSG_Session_Guard class to prevent cross-user data access in multi-agent environments.

Responsible Disclosure

If you discover a security vulnerability in MLS Genie™, please report it responsibly to security@mlsgenie.com. We will acknowledge receipt within 24 hours and aim to remediate within 72 hours for critical issues.

See also: Privacy Policy · Terms of Service · Cookie Policy.