Menu

Menu

Log in

Request a Demo

Last update:Jan 8, 2026

Data Security

1. Overview

RETS AI INCORPORATED ("Rets AI") is committed to protecting the confidentiality, integrity, and availability of customer data. This Data Security Policy describes the technical and organizational measures we implement to safeguard data processed through our commercial real estate intelligence platform.

Rets AI is currently in progress of obtaining SOC 2 Type II certification. Our security program is designed to meet the Trust Services Criteria for Security, Availability, and Confidentiality.

2. Infrastructure Security

2.1 Cloud Infrastructure

Rets AI infrastructure is hosted on Amazon Web Services (AWS) in the US-East region. AWS maintains comprehensive security certifications including SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, and FedRAMP.

Our infrastructure security includes:

  • Virtual Private Cloud (VPC) network isolation

  • Security groups and network access control lists

  • Web Application Firewall (WAF) protection

  • DDoS mitigation through AWS Shield

  • Continuous infrastructure monitoring and logging

2.2 Data Residency

Customer data is stored and processed within AWS data centers located in the United States (US-East region). Data does not leave the United States unless explicitly required for service delivery to international customers, in which case appropriate safeguards are implemented.

3. Data Encryption

3.1 Encryption in Transit

All data transmitted between customers and Rets AI services is encrypted using Transport Layer Security (TLS) 1.2 or higher. We enforce HTTPS for all web traffic and do not support unencrypted connections.

3.2 Encryption at Rest

All customer data stored in our systems is encrypted at rest using AES-256 encryption. This includes:

  • Database storage

  • File storage (uploaded documents)

  • Backups and snapshots

  • Log files containing sensitive information

3.3 Key Management

Encryption keys are managed through AWS Key Management Service (KMS), which provides centralized control over cryptographic keys with hardware security module (HSM) protection. Keys are rotated according to industry best practices.

4. Access Control

4.1 Authentication

Rets AI enforces strong authentication controls:

  • Secure password requirements (minimum length, complexity)

  • Multi-factor authentication (MFA) available for all accounts

  • Session management with automatic timeout

  • Account lockout after failed authentication attempts

  • Single Sign-On (SSO) integration available for enterprise customers

4.2 Authorization

Access to customer data is governed by role-based access control (RBAC). Users are granted the minimum permissions necessary to perform their functions. Customer data is logically segregated, ensuring that users can only access data belonging to their organization.

4.3 Internal Access

Rets AI employees access production systems only when necessary for service delivery, troubleshooting, or security purposes. All internal access requires:

  • Multi-factor authentication

  • VPN or secure access gateway

  • Documented business justification

  • Audit logging of all access events

5. Application Security

5.1 Secure Development

Rets AI follows secure software development practices:

  • Security requirements integrated into development lifecycle

  • Code review for all changes before deployment

  • Static application security testing (SAST)

  • Dependency scanning for known vulnerabilities

  • Separate development, staging, and production environments

5.2 Vulnerability Management

Rets AI maintains a vulnerability management program that includes:

  • Regular automated vulnerability scanning

  • Annual third-party penetration testing

  • Timely patching of identified vulnerabilities based on severity

  • Monitoring of security advisories for dependencies and infrastructure components

6. Data Isolation and Segregation

Customer data is logically segregated within our multi-tenant architecture. Each customer's data is isolated through:

  • Unique customer identifiers enforced at the application layer

  • Database-level access controls preventing cross-tenant queries

  • Isolated storage containers for document uploads

  • Testing and validation of tenant isolation controls

7. Monitoring and Logging

Rets AI maintains comprehensive monitoring and logging capabilities:

  • Centralized logging of security events, access attempts, and system activities

  • Real-time alerting for anomalous activities and potential security incidents

  • Infrastructure and application performance monitoring

  • Log retention for a minimum of 12 months

  • Protection of log integrity against tampering

8. Incident Response

Rets AI maintains a documented incident response plan that defines procedures for identifying, responding to, and recovering from security incidents.

8.1 Incident Response Process

  • Detection: Automated monitoring and alerting systems identify potential security events

  • Triage: Security team evaluates and classifies incidents based on severity and impact

  • Containment: Immediate actions to limit the scope and impact of the incident

  • Eradication: Removal of the threat and remediation of affected systems

  • Recovery: Restoration of normal operations with enhanced monitoring

  • Post-Incident Review: Analysis and documentation of lessons learned

8.2 Customer Notification

In the event of a confirmed security incident affecting customer data, Rets AI will notify affected customers without undue delay and in accordance with applicable legal requirements. Notification will include the nature of the incident, data affected, remediation steps taken, and recommended actions for customers.

9. Business Continuity and Disaster Recovery

9.1 Data Backup

Rets AI implements comprehensive backup procedures:

  • Daily automated backups of all customer data and system configurations

  • Encrypted backup storage in geographically separate AWS availability zones

  • Regular testing of backup restoration procedures

  • Backup retention aligned with data retention policies

9.2 Disaster Recovery

Our disaster recovery program is designed to restore services in the event of a significant disruption:

  • Documented recovery procedures for critical systems

  • Multi-availability zone deployment for high availability

  • Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)

  • Regular testing and validation of disaster recovery procedures

10. Personnel Security

Rets AI maintains personnel security controls to ensure that individuals with access to customer data are trustworthy and properly trained:

  • Background checks for employees with access to production systems

  • Confidentiality agreements for all employees and contractors

  • Security awareness training upon hire and periodically thereafter

  • Prompt revocation of access upon termination or role change

11. Third-Party Security

Rets AI evaluates the security posture of third-party service providers that process or have access to customer data. Our third-party risk management includes:

  • Security assessment prior to engagement

  • Contractual security and confidentiality requirements

  • Preference for providers with industry-recognized certifications (SOC 2, ISO 27001)

  • Ongoing monitoring of provider security posture

Key infrastructure and service providers:

Provider

Certifications

Amazon Web Services (AWS)

SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, FedRAMP, PCI DSS

LLM Provider

SOC 2 Type II

Stripe (Payment Processing)

PCI DSS Level 1, SOC 1, SOC 2

12. Compliance

12.1 SOC 2

Rets AI is currently in progress of obtaining SOC 2 Type II certification. Our security controls are designed and implemented in accordance with the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. Upon completion, audit reports will be available to customers under NDA.

12.2 Privacy Regulations

Rets AI maintains compliance with applicable privacy regulations, including the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and General Data Protection Regulation (GDPR). Please refer to our Privacy Policy for detailed information on our data privacy practices.

13. Security Inquiries

For security-related inquiries, to report a vulnerability, or to request additional security documentation, please contact:

RETS AI INCORPORATED

2001 Ross Ave

Dallas, TX 75201

Email: privacy@rets.ai

14. Policy Updates

Rets AI reviews and updates this Data Security Policy at least annually or as needed to reflect changes in our security practices, technology, or regulatory requirements. Material changes will be communicated to customers through our standard notification channels.