Compliance & Data Security

How we protect your data and comply with industry standards and regulations.

Regulatory Compliance

Compliance Frameworks

SOC 2 Type II

Our platform and infrastructure meet SOC 2 Type II standards for security, availability, processing integrity, confidentiality, and privacy. Annual audits are conducted by an independent third-party firm.

GLBA Compliance

We comply with the Gramm-Leach-Bliley Act (GLBA) requirements for financial institutions, including safeguards for consumer financial information and data sharing restrictions.

State Privacy Laws

We comply with all applicable state privacy laws including the California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), and Utah Consumer Privacy Act (UCPA).

ADA & WCAG 2.1

Our platform is designed to meet Web Content Accessibility Guidelines (WCAG) 2.1 Level AA standards. We conduct regular accessibility audits and remediate identified issues to ensure our Services are accessible to users with disabilities.

Security

Security Measures

Encryption

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • End-to-end encryption for API communications
  • Encrypted database backups with secure key management

Access Controls

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) for all internal systems
  • Principle of least privilege enforced across all environments
  • Automated access reviews and de-provisioning

Monitoring & Response

  • 24/7 security monitoring and alerting
  • Automated threat detection and incident response
  • Regular penetration testing by third-party firms
  • Bug bounty program for responsible disclosure

Infrastructure

  • SOC 2 certified cloud infrastructure providers
  • Redundant systems across multiple availability zones
  • Automated backup and disaster recovery procedures
  • Regular infrastructure security assessments

Data Management

Data Handling Practices

Data Classification

All data processed by our platform is classified according to sensitivity level and handled with appropriate security controls. Property records sourced from public databases are classified as public data. User account information and payment data are classified as confidential and receive enhanced protections.

Data Retention

We retain personal information only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Search history and usage data are retained for 24 months. Account information is retained for the duration of the account relationship plus 7 years as required by financial regulations.

Data Disposal

When data reaches the end of its retention period or upon a verified deletion request, we securely dispose of it using industry-standard methods including cryptographic erasure for digital records and certified destruction for any physical media.

Vendor Management

All third-party service providers who process data on our behalf are subject to rigorous security assessments, contractual data protection requirements, and ongoing monitoring. We maintain a comprehensive vendor risk management program.

Questions About Our Security Practices?

Our security team is available to discuss our compliance certifications, security controls, and data protection practices in detail.

Contact Security Team