AmuraAMURA Software
Service · AI code audit · Real estate & property

AI code audit for real estate and property management.

You shipped a valuation calculator on v0, a lead-capture bot on Lovable or an owners' portal on Cursor. We audit before a lead — or the entire owners' list — ends up in a competitor's hands.

What we solve

The data a real estate firm moves is the data that regulates it.

ID copies for KYC, verifiable income for solvency checks, payslip scans, rental contracts, owner and tenant records, building association files. Real estate firms and property managers handle high-volume, high-value PII. When an AI tool built in six weeks mixes all of that with an unprotected endpoint, what leaks isn’t a bug — it’s a case for a data-protection authority.

We audit the lead funnels, calculators and portals your team built with AI. The lens is sector-specific: GDPR/LOPD-style data protection, lead containment (so a scraper can’t take your portfolio), and account isolation in multi-portfolio managers.

What we build for this sector

Use cases that ship to production.

See full catalogue →
PII

Custody of IDs, payslips and KYC data

Path of the document from upload to storage. We look for public buckets, guessable URLs, lack of at-rest encryption and filenames that leak identity.

Private bucket · signed URL · encrypted
Leads

Lead isolation across agents and offices

Ownership filters in the leads database. A Madrid agent shouldn't be able to list Valencia leads by changing an ID in the URL.

0 leads accessible outside their account
Anti-scraping

Private listing protected from scrapers

Listing, valuation and contact endpoints behind rate limits, authentication and, where applicable, anti-scraping countermeasures. Competitors don't lift your portfolio via API.

Rate limit + auth on every public endpoint
Audit trail

GDPR-style logs for a regulator visit

Who accessed which personal data, when, from where. Retention period, deletion policy, right-to-be-forgotten implemented in code — not just on the privacy page.

Traceability per data point per user
A real scenario

A property manager with 2,300 units under management.

Rental property manager with an owners' portal built on Lovable plus a tenant-capture bot built on v0. Audit done right before an investment process — the investor requested it.
Before the audit

The owners' portal worked: each owner saw their own units. The unit listing, however, was served by a public API that accepted any owner ID. Anyone with curl could iterate and pull the full portfolio with contact details. The tenant-capture bot saved payslip scans in a Supabase bucket with USING (true) policies.

After the audit

17 findings. 5 criticals: ownership filter added to the listing, RLS applied to the capture tables, payslip bucket switched to private with signed URLs, keys rotated, deletion policy implemented in code. The audit went to the investor as a data-room appendix.

5 criticals resolved before the investment closed
We connect to your stack

Integrations that matter in this sector

CRM

HubSpot

Mid-market CRM with broad APIs — a natural fit for sales agents and lead enrichment.

CRM

Zoho CRM

CRM with strong adoption among Spanish SMBs — automations and agents at a contained cost.

COMMS

Microsoft 365 / Outlook

Email, calendar and SharePoint as channel and context — triage, drafting and RAG over your inbox and files.

Frequently asked

What clients ask us

  • 01

    We handle a lot of PII (IDs, payslips). How do you treat it during the audit?

    We only need read-only repository access. We don't copy real data: we work on code structure, database migrations and, when needed, synthetic data. Your PII doesn't leave your infrastructure.

  • 02

    Does the audit cover GDPR/LOPD compliance?

    We look at how the code handles data: where it's stored, retention, whether right-to-be-forgotten is implemented, what flows to logs and external providers. We don't issue a compliance certificate — that needs a DPO or legal auditor — but we produce the material they'll need.

  • 03

    Do you detect if our private listing is being scraped right now?

    We audit the endpoints and tell you whether they're open to scraping (no auth, no rate limit, predictable IDs). It isn't real-time monitoring — that's a separate service — but we tell you exactly what to change so scraping stops being trivial.

  • 04

    Our CRM is Inmovilla / Witei / Idealista CRM. Do you cover those integrations?

    Yes. We audit the connector your team built: what permissions it asked for, what objects it can read and write, how it handles auth and errors. If the integration uses provider tokens, we trace where those tokens live.

Same sector, other services
Same service, other sectors
Trust

Safe, traceable AI,
enterprise-ready.

We design for privacy from the start, human control, traceability, usage limits, permissioning and documentation. For sensitive processes, we help assess risk and applicable obligations under GDPR and the EU AI Act.

  • 01We never train models on your data without explicit authorization.
  • 02Human review built-in for processes where risk demands it.
  • 03Traceability: prompts, sources, permissions, errors and metrics — documented.
  • 04Privacy, security and control integrated from day one.
  • 05Solutions engineered to be maintained, audited and improved over time.
GDPREU AI ActAEPDISO 27001 readyEU data residency
Personal diagnosis

We work with
few clients.

Every engagement is led personally by one of the partners. If there's a fit, you get a personal first read of your case within one business day — not a canned demo.

How we work
  1. 01Tell us which process eats your time
  2. 02Personal reply within one business day
  3. 0320-minute call — no demo, no pitch
Start the conversation →