Security and compliance posture for serious real estate operations.
Realty OS protects brokerage, client, transaction, and partner data with tenant-aware access control, audit trails, operational monitoring, and documented compliance controls.
Current posture
SOC 2 readiness in progress
Phase 14a documents the policy set and evidence model. Phase 14b starts auditor engagement and control walkthroughs. Certification badges will be published only after audit completion.
SOC 2
Readiness
PIPEDA
Aligned
FINTRAC
Workflow support
HIPAA tier
BAA workflow
Controls
What customers can rely on
Access control
Role-based access, scoped record grants, MFA for privileged access, quarterly access reviews, and immutable approval evidence.
Audit readiness
Hash-chained audit logs, access reason capture, restore drills, compliance review cases, and auditor-ready evidence catalogs.
Data protection
Tenant isolation, encrypted storage, least-privilege service roles, retention schedules, and privacy request workflows.
Reliability
SLO tracking, synthetic checks, alert routing, operational kill switches, dashboard coverage, and incident response procedures.
Data boundaries
Platform controls stay platform-owned.
Identity, audit, service auth, country packs, access reviews, restore drills, and observability live in platform control planes. ROS keeps real estate workflow records and references shared platform primitives instead of duplicating them.
Read security practicesEvidence cadence
Auditor evidence is collected continuously.
SLO windows, alert reviews, vendor changes, vulnerability scan status
Access reviews, risk register review, restore verification, vendor reassessment
Policy approval, security training, BCP/DR tabletop, ISO gap review
Sub-processors
Core vendors used to deliver the service
| Vendor | Purpose | Data processed |
|---|---|---|
| AWS | Cloud hosting, object storage, email delivery, key management, and backups | Customer content, documents, logs, operational metadata |
| Google Cloud | Regional infrastructure and managed services where customer deployment requires it | Operational metadata and customer content for selected regions |
| Twilio / SendGrid / Mailgun / Brevo | SMS, WhatsApp, and email delivery | Recipient identifiers, message metadata, and message content required for delivery |
| DocuSign | Electronic signature workflows | Signer identity, signing metadata, and documents submitted for signature |
| OpenAI | AI-assisted drafting, summarization, extraction, and Q&A features | User-submitted prompts and scoped content needed to complete the requested task |
| Stripe | Billing and payment processing | Billing contacts, payment metadata, invoices, and subscription state |
Security
Security architecture and incident reporting.
Privacy
Privacy commitments and user data rights.
Availability
Service availability and operating status.
Terms
Service terms and acceptable use.