Security

1. Our Commitment to Security

At RentierNow, security is fundamental to everything we do. We are committed to protecting the data and privacy of our users through industry-leading security practices and continuous improvement of our security posture.

Our security program is built on the principles of defense in depth, least privilege, and continuous monitoring. We align our practices with recognized frameworks including SOC 2, ISO 27001, and NIST Cybersecurity Framework guidelines. Security is a shared responsibility across every team at RentierNow, from engineering to operations, and is championed at the executive level with regular reviews of our security strategy and investments.

2. Data Protection

We implement comprehensive data protection measures to ensure your information remains secure at all times.

Encryption

• In Transit: All data transmitted between your devices and our servers is encrypted using TLS 1.2 or higher with strong cipher suites. We enforce HTTPS across all endpoints and employ HTTP Strict Transport Security (HSTS) headers.
• At Rest: All sensitive data is encrypted at rest using AES-256 encryption. Encryption keys are managed through dedicated key management services with automatic rotation policies.
• Financial Data: Bank account information and financial data are processed through certified third-party services and encrypted with additional application-level security measures. Raw financial credentials are never stored on our servers.

Data Storage

• Data is stored in secure, SOC 2 compliant data centers operated by certified cloud infrastructure providers
• Automated encrypted backups are performed daily with point-in-time recovery capabilities
• Strict access controls and network isolation limit who and what can access stored data
• Data classification policies ensure that sensitive information receives appropriate handling throughout its lifecycle

3. Access Controls

We implement strict access controls to ensure that only authorized individuals can access sensitive systems and data.

User Access

• Role-based access control (RBAC) limits access based on user roles, ensuring property managers, tenants, and owners see only the data relevant to them
• Multi-factor authentication (MFA) is available for all accounts and strongly recommended for administrative users
• Session management with automatic timeouts and secure token handling prevents unauthorized session reuse
• Secure password requirements are enforced, including minimum length, complexity, and protection against known compromised passwords

Internal Access

• Principle of least privilege is applied to all employees; access is granted only to the systems and data required for their role
• Access reviews are conducted quarterly and whenever an employee changes roles
• Immediate access revocation is performed upon role changes or employment termination
• Comprehensive audit logging captures all access to sensitive systems, with logs retained for a minimum of one year
• Privileged access to production systems requires additional authentication and is monitored in real time

4. Infrastructure Security

Our infrastructure is hosted with SOC 2 compliant providers and architected for security, reliability, and performance.

Network Security

• Firewalls and intrusion detection/prevention systems monitor all inbound and outbound traffic
• DDoS protection and mitigation through industry-standard edge security services
• Network segmentation and isolation ensure that application, database, and management layers are separated
• Continuous network monitoring with automated alerting for anomalous traffic patterns
• All administrative access to infrastructure requires VPN and multi-factor authentication

Application Security

• Secure software development lifecycle (SDLC) with security considerations integrated at every stage
• Regular code reviews and automated static analysis catch vulnerabilities before deployment
• Dependency scanning identifies and flags known vulnerabilities in third-party libraries
• Web application firewall (WAF) protection filters malicious requests and common attack vectors
• Container images are scanned for vulnerabilities and rebuilt from trusted base images on a regular schedule

5. Vulnerability Management

We maintain a proactive vulnerability management program to identify and remediate security weaknesses before they can be exploited.

• Automated vulnerability scanning is performed continuously across all production systems and applications
• Independent penetration testing is conducted at least annually by qualified third-party security firms
• Critical vulnerabilities are triaged and addressed within 24 hours; high-severity issues within 72 hours
• Patch management procedures follow defined SLAs with automated deployment where possible
• Responsible disclosure is welcomed; security researchers can report vulnerabilities to [email protected]

6. Third-Party Security

We carefully vet all third-party vendors and partners to ensure they meet our security standards before integration and on an ongoing basis.

Vendor Requirements

• Database Services: Our database provider maintains SOC 2 Type II and ISO 27001 certifications with encryption at rest and in transit
• Payment Processing: Payment services are handled by PCI-DSS Level 1 certified providers; RentierNow never stores or processes raw card data
• Financial Connectivity: Bank account linking is facilitated through SOC 2 Type II and ISO 27001 certified services with tokenized access
• Content Delivery & Storage: File storage and delivery use SOC 2 compliant providers with edge security and access controls
• Communications: Notification services are provided by SOC 2 and ISO 27001 certified partners

Ongoing Oversight

• All vendors undergo a security assessment prior to onboarding, including review of certifications, security practices, and data handling policies
• Vendor security posture is re-evaluated annually and whenever a material change occurs
• Contracts include data protection obligations, breach notification requirements, and right-to-audit clauses
• Vendor access to RentierNow data is limited to the minimum necessary and monitored continuously

7. Incident Response

We maintain a comprehensive incident response plan to quickly detect, contain, and recover from security incidents. Our team conducts regular tabletop exercises to ensure readiness.

Our Process

1. Detection: Continuous monitoring, log analysis, and automated alerting identify suspicious activity in real time
2. Containment: Immediate isolation of affected systems to prevent lateral movement and limit impact
3. Investigation: Thorough forensic analysis to determine the scope, root cause, and impact of the incident
4. Remediation: Addressing the root cause, patching vulnerabilities, and implementing preventive controls
5. Notification: Affected users are notified within 72 hours of confirmed data breaches, in accordance with applicable laws. Regulatory bodies are notified as required.
6. Recovery: Restoring normal operations with verification that the threat has been fully eliminated
7. Lessons Learned: Post-incident review within 5 business days, with findings documented and corrective actions tracked to completion

Reporting an Incident

If you suspect unauthorized access to your account or observe suspicious activity, contact us immediately at [email protected]. Our security team monitors this channel around the clock and will acknowledge your report within 24 hours.

8. Employee Security

Our people are a critical part of our security posture. We invest in training, tools, and policies to ensure every team member upholds our security standards.

• Background checks are completed for all employees and contractors before they are granted access to sensitive systems
• Security awareness training is mandatory during onboarding and refreshed annually, covering topics such as phishing, social engineering, and data handling
• All company devices are managed with endpoint detection and response (EDR) software, disk encryption, and automatic security updates
• Clear security policies and acceptable use guidelines are documented and acknowledged by all employees upon hire and annually thereafter
• Access credentials are revoked immediately upon termination, with an automated offboarding process that covers all systems and services
• Employees are required to use password managers and unique credentials for all work-related accounts

9. Compliance

We are committed to compliance with applicable laws, regulations, and industry standards that govern the protection of personal and financial data.

• SOC 2 Type II: Our security controls are independently audited in accordance with the SOC 2 Trust Services Criteria
• CCPA/CPRA: We comply with the California Consumer Privacy Act and California Privacy Rights Act, providing California residents with full control over their personal information
• GDPR: Where applicable, we comply with the General Data Protection Regulation, including data subject rights, lawful processing, and cross-border data transfer safeguards
• PCI-DSS: Payment processing is handled exclusively through PCI-DSS Level 1 certified third-party services, ensuring credit card data is never stored or processed on our infrastructure
• GLBA: We adhere to the Gramm-Leach-Bliley Act requirements for the protection of nonpublic personal financial information
• Fair Housing: Our platform is designed to support compliance with federal and state fair housing laws in all property management workflows

10. Business Continuity

We maintain business continuity and disaster recovery plans to ensure service availability even in the face of unexpected disruptions.

• Redundant infrastructure is deployed across multiple geographically separated availability zones to protect against regional outages
• Automated failover ensures that service disruptions are minimized, with a target recovery time objective (RTO) of less than 4 hours and a recovery point objective (RPO) of less than 1 hour
• Encrypted backups are tested regularly through full restoration drills to verify data integrity and recovery procedures
• Disaster recovery procedures are documented, maintained, and reviewed at least annually
• System health and uptime are monitored around the clock with automated alerting for any degradation in service performance
• A documented communication plan ensures that users are informed promptly during any service-impacting event via our status page and email notifications

11. Security Updates

We continuously improve our security posture and will update this page as our security program evolves. Material changes to our security practices will be communicated to users through in-app notifications and email.

We review and update this Security page at least quarterly. A summary of significant changes will be noted at the top of this page with the "Last Updated" date. Users who wish to be notified of security-related updates may contact [email protected] to subscribe to our security bulletin.

12. Contact Security Team

If you have security questions, concerns, or need to report a vulnerability, we want to hear from you.

• General Security Inquiries: [email protected]
• Vulnerability Reports: [email protected]
• Mailing Address: RentierNow Security Team, San Diego, CA

We appreciate the work of security researchers who help keep our platform safe. If you discover a potential vulnerability, please report it responsibly by emailing [email protected] with a detailed description of the issue, steps to reproduce, and any supporting evidence. We will acknowledge your report within 24 hours and work with you to understand and resolve the issue. We ask that you allow us reasonable time to address the vulnerability before making any public disclosure.