Security is not a feature, it is the foundation. Here is exactly how we protect you and your tenants.
We apply security best practices at every layer of the platform, from infrastructure to application code.
All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. Payment data is handled by Stripe and never touches our servers unencrypted.
We are certified SOC 2 Type II, audited annually by an independent third-party firm covering security, availability, and confidentiality trust service criteria.
Least-privilege access controls mean employees can only access systems they need for their role. All access is logged and reviewed quarterly.
24/7 automated threat detection, anomaly monitoring, and real-time alerting across all production infrastructure. Incidents are triaged immediately.
We engage an independent security firm to conduct penetration testing at least twice per year. Findings are remediated within 30 days based on severity.
A documented incident response plan with defined escalation paths and SLAs. Affected users are notified within 72 hours of confirmed data incidents, per GDPR requirements.
We meet the highest standards for data security and privacy in the financial and property management sectors.
Security is integrated throughout our software development lifecycle, not bolted on afterward.
Every code change requires peer review. Security-sensitive changes require an additional review by a team member with security expertise.
Automated tools scan our dependencies daily for known vulnerabilities (CVEs). Critical vulnerabilities are patched within 24 hours.
All secrets, API keys, and credentials are stored in a dedicated secrets manager and never hard-coded in source code or environment files.
All infrastructure is defined and deployed as code, enabling full auditability, reproducibility, and drift detection on every deployment.
Encrypted backups run every 6 hours with 30-day retention. Recovery procedures are tested quarterly to verify RTO and RPO targets.
All team members complete security awareness training on joining and annually thereafter. Phishing simulation exercises are run quarterly.
Multi-factor authentication is mandatory for all employee access to production systems, cloud infrastructure, and code repositories.
All third-party vendors with access to user data undergo a security review before onboarding and annual re-assessments thereafter.
We appreciate responsible disclosure from the security community. If you discover a security issue, please contact us privately before making it public. We aim to respond within 48 hours and will work with you on a coordinated disclosure timeline.
Report to security@leasepilot.ai