Security,
verifiable.

Overview

RealtrAI is built for licensed real estate professionals who handle sensitive client information, MLS data under license, and financial records for their transactions. Our security posture is designed to match what those professionals reasonably expect from a system entrusted with that data.

This page is the publicly visible Trust Center for the platform. It documents what we do to protect data, how we operate the underlying systems, who else touches the data, and how to report a security concern. Where stronger evidence is needed (audit reports, penetration testing summaries, security questionnaires), Brokerage plans include access under NDA.

Security Philosophy

The shortest version: every account's data is isolated, every transmission is encrypted, every internal access is logged, and every third party that touches the data is named publicly. We make commitments we can defend in writing, not aspirations we can't.

Infrastructure & Hosting

Primary Cloud

The platform runs on Amazon Web Services in US-East-1 (Virginia) as the primary region with US-West-2 (Oregon) for failover and asynchronous backup. AWS is SOC 2 Type II, ISO 27001, and FedRAMP Moderate certified at the infrastructure layer. Data does not leave US AWS regions by default.

Secondary Cloud

Some non-data-bearing services (transactional email delivery, model inference routing) are operated on Google Cloud Platform under similar regional and certification constraints. GCP regions used are us-central1 and us-east1.

Tenant Isolation

Each account's data is logically isolated at the database, storage, and cache layers. There is no shared mutable state across tenants. A query that asks for "all open-house attendees" returns only the requesting account's attendees, scoped at the data layer rather than the application layer.

Network Posture

Production systems sit behind a Web Application Firewall with managed rule sets for OWASP Top 10 patterns and rate limits sized for normal customer load. DDoS mitigation is provided by AWS Shield. Public ingress is restricted to TLS endpoints; internal services communicate over private subnets only.

Alternative Regions

Data residency outside the US (EU regions, UK, Canada) is available on Brokerage plans on request. Setup adds two to three weeks to onboarding. Contact us if your firm has data-residency requirements that we should accommodate before contracting.

Encryption

In Transit

All connections between your browser and the Services use TLS 1.3. Older TLS versions (1.0, 1.1) are disabled at the load balancer level. HSTS is enabled with a one-year max-age. Internal service-to-service connections in the production VPC use mutual TLS where the underlying provider supports it.

At Rest

Storage encryption is AES-256, applied at the disk and object-store layers in AWS (EBS, S3, RDS) and at equivalent layers in GCP. Encryption keys are managed by AWS KMS and rotated annually per AWS-managed key rotation. Customer-managed keys (CMK) are available on Brokerage plans for firms that prefer to hold their own root keys.

Backups

Backup volumes use the same AES-256 encryption standard. Backups are stored in AWS S3 with versioning enabled and retention managed by lifecycle policies (thirty-day rolling window for production, longer for compliance-related retention).

Passwords

Passwords are never stored in plain text. We hash with Argon2id at parameters sized to current OWASP recommendations and rotate the cost factors as compute availability advances. Password reset tokens are short-lived (15 minutes) and single-use.

Authentication & Access

Customer Authentication

Account holders authenticate with email plus password, Google OAuth, Microsoft OAuth, or Apple Sign In. Brokerage plans support enterprise SSO via SAML 2.0 and OpenID Connect with major identity providers (Okta, Azure AD, OneLogin, Google Workspace).

Multi-Factor Authentication

MFA is supported on every plan and strongly recommended. Supported factors include time-based one-time passwords (TOTP) via authenticator apps and WebAuthn / passkeys. SMS MFA is available but de-prioritized; we recommend an authenticator app or passkey instead.

Session Management

Sessions expire after thirty (30) days of inactivity by default. Brokerage plans can set tighter session policies via the team admin panel (down to 12-hour expiry for compliance-heavy environments). All sessions are revocable from the account settings page; revoking a session immediately invalidates the underlying token.

Internal Access Controls

Access to production systems by RealtrAI engineers is governed by least-privilege role-based access control. All production access requires SSO with hardware-backed MFA. Every privileged action is logged to an immutable audit log retained for two years. Engineers do not have direct read access to customer documents in the normal course of operations; access is granted on a per-incident basis with time-bound, logged credentials.

Personnel Security

All RealtrAI employees with production access complete background checks at hire, sign confidentiality agreements, and complete annual security awareness training. Departing employees are de-provisioned within four (4) hours of role change or separation, with credentials rotated immediately.

Application Security

Secure Development

Code changes go through pull-request review with at least one engineer approval before merge. Production deployments require passing CI: unit tests, integration tests, static analysis, and dependency scanning. Direct production access for code deployments is restricted to a short list of platform engineers.

Dependency Management

Third-party dependencies are scanned continuously with Dependabot and Snyk for known vulnerabilities. Critical and high-severity advisories trigger an automatic alert and a target patch window of 72 hours. Lower-severity issues are batched into the next regular dependency-update cycle.

Static and Dynamic Analysis

Static application security testing (SAST) runs on every pull request, scanning for common vulnerability patterns (injection, XSS, deserialization, hardcoded secrets). Dynamic application security testing (DAST) runs against staging weekly. Findings are tracked to closure and reviewed in monthly engineering security syncs.

AI & ML Security

The Trunnion AI Declarative Agentic Framework that powers the platform is built on tenant isolation. Inputs from one account never become training data for the underlying models or context for another account's queries. Prompts and responses are scoped per-request, not pooled.

Output Sanitization

Generated documents and exports are sanitized before delivery to remove unintended content (other accounts' data, system metadata, internal-only debug fields). HTML and PDF exports are templated; markdown and plain-text exports run through a sanitizer that strips potentially-injected scripts.

Data Protection & Retention

During Service

While your account is active, account data, generated content, and integration records are retained so the Services work as expected. Drafts can be reopened, archives can be searched, integrations can run continuously, and pipelines persist across sessions.

Backups and Recovery

Production data is backed up continuously to a separate AWS region. Point-in-time recovery is available for the past thirty-five (35) days. Disaster recovery target objectives: Recovery Time Objective (RTO) four hours, Recovery Point Objective (RPO) fifteen minutes for primary tenant data.

After Cancellation

If you cancel your subscription, account data and content are retained for ninety (90) days so you can export your archive or reactivate. After that ninety-day window, data is permanently deleted from production systems within seven (7) days. Backup copies cycle out within the standard thirty-day rolling window. Within fourteen (14) days of the backup window expiry, no copies remain.

Immediate Deletion

You may request immediate deletion at any time during the ninety-day window by emailing hello@realtrai.com with subject "Delete Account." We confirm receipt within one business day and confirm completion within seven (7) business days. Backup expiry follows the standard rolling schedule even on immediate-deletion requests.

Data Portability

You can export your data at any time through the Account Settings panel. Supported formats: JSON for structured data, CSV for tabular data, PDF and DOCX for generated documents, ZIP archive bundling everything. The export format is documented in our help center for downstream parsing.

Compliance & Audits

Infrastructure Certifications

Our infrastructure providers (AWS, GCP) hold SOC 2 Type II, ISO 27001, ISO 27018, and PCI DSS certifications at the infrastructure layer. Certifications are renewed annually and audit reports are available from the providers' trust portals (AWS Artifact, GCP Compliance Reports Manager).

RealtrAI SOC 2

RealtrAI's own SOC 2 Type II audit is in progress with an expected completion in 2026. Type I bridge documents are available under NDA on Brokerage plans. The full Type II report will be published in this Trust Center once issued.

Penetration Testing

Annual third-party penetration tests are conducted against the production application by an independent security firm. The most recent test summary is available under NDA on Professional and Brokerage plans through the customer success contact. Findings of medium severity or higher are tracked to closure and verified by the firm at retest.

Vendor Compliance Audits

Subprocessors are reviewed quarterly. Each vendor's most recent SOC 2 or equivalent attestation is on file, along with the data processing addendum (DPA) and a defined break-glass procedure for vendor compromise scenarios. The full subprocessor list is published in the next section.

PCI Scope

RealtrAI does not store, process, or transmit cardholder data directly. Payment processing is handled by Stripe; cardholder data is tokenized at the Stripe boundary and we receive only the tokenized reference. Our PCI scope is therefore limited to SAQ-A.

Subprocessors

The named third parties below process data on RealtrAI's behalf in the course of operating the Services. Each is bound by a data processing addendum that requires confidentiality, security controls equivalent to or stronger than ours, and data return or deletion on contract termination. We update this list when subprocessors are added or removed; account holders on Professional and above can subscribe to subprocessor change notifications by emailing hello@realtrai.com with subject "Subprocessor Updates."

MLS data providers, CRM integration partners (Follow Up Boss, kvCORE, Sierra Interactive, BoomTown, Realvolve, Salesforce), and website integrations (Squarespace, WordPress) are not subprocessors in the privacy-law sense; they are services you authorize and direct the data flow to. Data shared with those services is governed by their own terms.

Incident Response

We maintain a documented incident response plan reviewed and rehearsed quarterly. The plan covers detection, triage, containment, eradication, recovery, and post-incident review.

Detection

Production systems are monitored continuously for anomalous activity, error spikes, abnormal access patterns, and known indicators of compromise. Alerts route to the on-call engineer for triage with a 15-minute response target on critical alerts.

Customer Notification

For incidents that affect your data or your account's security, we notify you and any applicable regulatory authorities within the timeframes required by law. Specifically, GDPR requires notification within 72 hours of becoming aware of a personal data breach; we follow that standard globally as our floor. State law in some US jurisdictions imposes shorter or differently-defined windows; where shorter, we follow the shorter requirement.

What a Notification Includes

• What happened: a plain description of the incident and what data was affected
• When: the timeline of detection, containment, and resolution
• Impact: what the incident did or could do to your account
• What we did: the immediate response and the longer-term mitigations
• What you should do: recommended customer actions (rotate passwords, check audit logs, etc.)
• Contact: a direct point of contact for follow-up questions

Post-Incident Review

For any incident classified Sev 2 or higher, we publish a post-incident review within fourteen (14) days describing the root cause, the timeline, and the remediations. Brokerage plans receive these reviews automatically; other plans can request them. We do not redact except for security-sensitive operational details.

Vulnerability Disclosure

If you discover a security vulnerability in the Services, we want to hear from you. We commit to responding promptly, working in good faith on a fix, and crediting reporters who follow responsible disclosure (if they want to be credited).

How to Report

Email hello@realtrai.com with subject "Security Disclosure" and include:

• A description of the vulnerability and where it lives in the Services
• Steps to reproduce, or a proof-of-concept
• Any logs, screenshots, or output that helps us validate
• Your contact details (so we can follow up) and your preferred name for public credit, if you want any

Our Commitments

• Acknowledgment within one business day of receipt
• Initial triage within five business days with severity classification
• Status updates at least every two weeks until resolution
• No legal action against good-faith researchers who follow this disclosure process
• Public credit in the security advisory, if you want it

Out of Scope

The following are not in scope for the vulnerability disclosure program: social engineering against RealtrAI personnel, denial-of-service testing against production, automated scanner output without manual validation, missing security headers on non-sensitive marketing pages, and findings against third-party services we use (which should be reported to those vendors directly).

Bug Bounty

We do not currently operate a paid bug bounty program. We do credit reporters publicly with their consent, and we consider monetary recognition on a case-by-case basis for severe findings. We expect to launch a formal bounty program in 2026 once the SOC 2 Type II audit is complete.

Your Security Controls

Security is shared. The platform provides the following controls; how you use them affects how secure your account is. We strongly recommend enabling at least the first three on every account.

Multi-Factor Authentication

Enable MFA in Account Settings. We recommend an authenticator app (Authy, 1Password, Google Authenticator) or a passkey. SMS is supported but is the weakest factor; if you must use SMS, prefer a number that is not your primary mobile.

Strong, Unique Password

Use a unique password for RealtrAI that you do not use anywhere else. A password manager (1Password, Bitwarden, Apple Keychain) makes this practical. Most account compromises we have observed in the SaaS industry trace back to credential stuffing from breaches of unrelated services.

Audit Logs

Account holders on Professional and above have access to audit logs covering sign-ins (with IP and user agent), document generation, integration changes, and team-member actions. Brokerage plans extend audit log retention to two years and add export to SIEM systems via the API.

Session Management

The Account Settings page lists active sessions. Revoke any session you don't recognize. Sign-out-everywhere is a single click, useful if you suspect a device was compromised.

Integration Permissions

Review integrations periodically. Revoke any that you no longer use. The integrations panel shows the scope of access each integration was granted and the last time it was used.

Team Admin Controls

Brokerage admins can enforce MFA across the team, set session expiry policies, restrict login by IP range, and require SSO for all agents. The Compliance Reviewer role provides read-only audit access for firms with separate compliance functions.