Effective Date:
November 20, 2025
At DOOR, we take the implications of smart access incredibly seriously—and we’re proud to help you make your space more secure. Here’s how we’ve designed hardware and software products that protect residents’ most valuable data.
Security and privacy go hand and hand. You can learn more about our Privacy Policy.
Since our beginning, we’ve taken a proactive and thorough approach to our product development. We approach security from every angle: testing our hardware and software against potential threat models and frameworks so that we can get ahead of potential risks.
Internet independence
Our offline-first design approach means that devices do not require internet connections to unlock in the event of a network or cloud outage. Beyond that, operating independently from the internet provides an extra layer of security against malicious actors.
Testing and monitoring
In addition to running internal static, unit, and integration tests, we partner with third-party firms to run periodic penetration tests, and validate our product architecture and design. We also use a variety of security monitoring tools to detect risks in real-time and test new features and products in real-world scenarios.
Rapid response
DOOR devices are designed to get better everyday. Because all our products can be updated wirelessly, we’re able to roll out the latest security features and fixes quickly and easily.
Bluetooth unlock security
We’ve built cryptographic certifications and bi-diectional signing into our products to put security at the heart of our Bluetooth unlock experience. When you first sign in to a new personal device, and periodically after that, the DOOR Cloud authenticates you and determines which DOOR devices you are authorized to unlock. Once authenticated, DOOR Cloud supplies a signed unlock assertion to the DOOR App. When an unlock is initiated, the DOOR App sends the signed assertion to the DOOR device. This verifies the signature of the unlock assertion and requests a second signature from the DOOR App, ensuring that it is communicating with the app. If the signed message matches the signatures expected, the DOOR device unlocks.
iOS DOOR Widget
The iOS DOOR Widget is a faster way to unlock your door. Using the widget, you can unlock your door from the home screen of your iOS device without having to launch the DOOR App. To ensure that someone can’t unlock your doors if they have your phone, the iOS DOOR Widget requires that the phone have been authenticated within the last 10 minutes. Depending on the personal device, authentication is often achieved through entering a passcode, pattern, fingerprint, or facial scan.
Passwords
Your DOOR Account login credentials are made up of your email as well as a password. To ensure the strength of your password, we require it to be at least eight characters, not feature any characters more than twice consecutively, and be different than your email. We also reject passwords that are on a list of unsafe passwords.
Encryption
All of your DOOR device data is encrypted before it is transported to the DOOR Cloud using the Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC) mode using a shared key derived via the Elliptic-curve Diffie-Hellman (ECDH) algorithm. Once in DOOR Cloud, all data, such as access permissions, access logs, access photos, and personal contact information, is encrypted at rest using AWS KMS with at least 128-bit AES encryption.
Data sent to DOOR devices from DOOR Cloud is authenticated and protected against tampering during transport using cryptographic signatures. Access user lists and credentials sent to DOOR devices, such as Doorcodes, are encrypted during transport, while the data in the DOOR App is secured using platform-specific best practices such as iOS Keychain and Android Keystore. DOOR App, DOOR Manager, DOOR Cloud and internet-connected DOOR devices communicate with each other via TLS 1.2 or TLS 1.3.
When a DOOR device takes a photograph, the image is encrypted and written using AES in CBC mode for secure storage.
We make use of both private cloud resources and public cloud services. We monitor traffic to and from our products for anomalies and intrusions using a number of technologies such as firewalls, IDS/IPS systems, web application firewalls, and cloud configuration monitoring systems. Our infrastructure runs on systems that are fault tolerant, preventing against failures of individual servers or even entire data centers. The DOOR database is multi-tenant, and tenants are segregated via application controls. Security and permission policies exist at the device, property, and portfolio level.
We’ve designed our products to withstand extreme environmental and emergency situations.
Environmental
Exterior operating temperature : -30°C to 70°C, Camera: 0°C to 60°CInterior operating temperature: -20°C to 54°C Operating humidity: 0–95% relative humidity, non-condensing
Lock mechanisms
DOOR M and C series devices are designed with a physical, industry-standard Schlage Type C keyway lock cylinder and key, and can be recylindered like any traditional lock. They are built to comply with ANSI Grade 1, the industry’s highest quality and durability standard for commercial security.
Fire
In multi-dwelling buildings, doors play an important role in preventing the spread of fire. The DOOR M and C series devices have been designed to comply with the industry’s most rigorous fire code regulations, maintaining the integrity of the door in case of emergency. DOOR M and C series devices are UL 10C (90 min) rated for use on fire resistant door assemblies in the United States; DOOR C is also ULC S104 rated for use in fire resistant door assemblies in Canada.
Hurricane
DOOR M and C Series devices meet TAS 201-94, 202-94, 203-94 for use in High Velocity Hurricane Zones.
Keycard and Near Field Communication
DOOR devices and Keycards utilize the MiFare Classic NFC standard at 13.56 Mhz.
Access history and photos
DOOR devices capture access events by recording the individual that attempted the unlock, the date, and the time, as well as the method of entry. Additionally, a photo is taken using an onboard camera in certain situations for added safety, such as when residents enter their building’s common spaces. Photos are never taken of residents at their own units when they are using a correct credential, and their access events at their private spaces are never shared. For more detailed information on our strict privacy controls, see our Privacy Policy.
Doorcodes
A Doorcode is a randomly generated numeric code that enables users to unlock DOOR devices using their numeric keypads. Doorcodes are a minimum of seven-digits offering 10 million combinations and are not customizable to avoid guessing.
Rate-limiting
To avoid brute-force attacks, DOOR devices enter a Rate-Limiting Mode when they detect consecutive incorrect NFC/Keycard or Doorcode authentication attempts. Once the device is in Rate-Limiting Mode, it ignores all Doorcode and NFC authentication attempts; and the camera is turned off to conserve battery. After five minutes, the device will allow three more attempts to authenticate before returning to Rate-Limiting Mode. Bluetooth brute-force attacks are mitigated by the cryptographic security surrounding DOOR's Bluetooth technology. See ‘Bluetooth unlock security’ for more information on Bluetooth cryptographic security.
Secure elements
DOOR devices incorporate hardware elements for the secure storage of cryptographic secrets. The use of a secure element protects cryptographic secrets from exposure by storing them in a manner which does not allow direct access via the system processor(s) or by direct memory access. Additionally, the secure element provides hardware measures to prevent unauthorized tampering or changing of cryptographic secrets and provides barriers to physical extraction attacks.
All security operations and functions are performed in-house by our security team, which includes 24/7 environment monitoring and response, adversarial assessments, and engineering. Our internal team is also bolstered by external, independent penetration testing; device assessments, and third-party audits. Multi-factor-authentication is also enforced for all teams and tools where available.
If you have questions or concerns about security at DOOR, please feel free to contact our Security Team at security@door.com. For all other inquiries please contact our Support Team at support@door.com.
