Vendor-Stack Posture.
How TurnkeyDoor manages security and privacy risk across its 14-vendor production stack. Public-safe summary; per-vendor cert detail is held under MNDA.
TurnkeyDoor runs on a 14-vendor production stack. Every vendor is selected for SOC 2 Type II attestation, GDPR Article 28 DPA coverage, and a public sub-processor list. The full per-vendor matrix is held internally and shared under MNDA.
This page publishes the three composition-level risks we actively manage and the 12 counsel-trigger framework we use to spot questions in vendor questionnaires that need outside-counsel review rather than self-answer.
Three risks we actively manage.
Key & secret sprawl across 14 vendors
Production credentials cross 14 vendors (~25+ secrets minimum). The April 2026 Vercel security incident remains the canonical cautionary tale: an attacker compromised one third-party AI tool, pivoted via OAuth, and reached non-sensitive environment variables not encrypted at rest by default.
Active mitigations: every Vercel env var marked sensitive from day one; restricted Stripe API keys (not master) on non-payment flows; GitHub secret-scanning (Stripe + Anthropic + OpenAI all participate in auto-revocation programs); quarterly secret-rotation calendar documented in a runbook; Supabase service-role key never reaches client.
Sub-processor depth (N-th party exposure)
Each of the 14 vendors has its own sub-processor stack. Effective N-th party count is likely 50–80 distinct entities. Concentrations on AWS, Google Cloud, and Cloudflare mean a single regional outage can blast-radius across many providers simultaneously.
Active mitigations:internal vendor inventory refreshed quarterly via each vendor's “subscribe to sub-processor changes” feed; redundant geocoder design (NJGIN primary, Geoapify fallback); architectural pattern for transactional-critical flows uses a documented secondary.
Cross-border data flow + EU-US DPF stability
TurnkeyDoor is geo-fenced to NJ at consumer launch, so EU/UK GDPR is not actively triggered. A second Schrems-style invalidation of the EU-US Data Privacy Framework is not currently in force but has non-trivial probability over the 2026–2028 horizon.
Active mitigations: every signed DPA also incorporates SCCs as a fallback transfer mechanism in case DPF is invalidated; multi-jurisdiction posture (NJDPA, CCPA-CPRA, Colorado, VCDPA, Quebec Law 25) documented in our DPIA at /admt-pack/data-protection.
Twelve questions we route to counsel.
Most vendor-questionnaire questions are answerable from a prefill kit — DPA URLs, residency, encryption, deletion SLAs. Twelve questions are different. Each surfaces a TurnkeyDoor edge-case where a generic SaaS answer creates real legal exposure. When a questionnaire matches any of these triggers, we stop self-answering and route to outside counsel.
| # | Trigger phrase | Regime |
|---|---|---|
| 1 | PHI / BAA questions | HIPAA · NJLAD §10:5-12.5 · FHA §3604(f) |
| 2 | FedRAMP authorization status / impact level | FedRAMP |
| 3 | Sale or share of personal information / AI on personal data | CCPA-CPRA · NJDPA §56:8-166 |
| 4 | How do you prevent discriminatory advertising / screening | FHA · NJLAD · N.J.A.C. 13:10-1.1 |
| 5 | Tenant-screening / credit / background data | FCRA 15 U.S.C. §1681 · NJ Fair Chance in Housing §46:8-52 |
| 6 | Referral fees from mortgage / title / insurance | RESPA Section 8 · 12 U.S.C. §2607 |
| 7 | Consumer-deception prevention | NJ Consumer Fraud Act §56:8-1 |
| 8 | Data of minors | COPPA · CA AADC · CCPA SPI |
| 9 | Bank account / ACH data handling | NJ Identity Theft Prevention Act §56:8-161 |
| 10 | Affiliations with mortgage / financial-services providers | RESPA Section 8 (rerun) |
| 11 | Background-check / screening data scope | FCRA (rerun) |
| 12 | Regulatory disclosures included in contracts | NJ Truth-in-Renting §46:8-43 · Lead paint 24 C.F.R. §35 · Flood P.L. 2023 c.93 |
Hold-the-line answers (used while counsel reviews) are non-public — they buy time, not a posture, and we don’t want them quoted as final commitments. Compliance reviewers can request the internal checklist via partnerships@turnkeydoor.com under MNDA.
- This page is reviewed every 6 months. Next scheduled refresh: 2026-11-09.
- Stack-composition risks above are stable framing. Per-vendor URLs and certs (the matrix) decay faster — we hold them internally and refresh quarterly.
- For deployer ADMT risk-assessment context: /admt-pack
- For RoPA + DPIA + multi-jurisdiction posture: /admt-pack/data-protection
- For SOC 2 readiness one-pager: /admt-pack/soc2-readiness
- For privacy notice: /legal/privacy