Security Policy
Last Updated: May 2026
1. Data Protection
Your landlord and tenant data lives in Google Cloud Platform (us-central1), encrypted at rest with AES-256 via Cloud KMS and in transit with TLS 1.3. Application servers run on Cloud Run with a private Cloud SQL Postgres instance reachable only over a Unix socket, never the public internet. Documents and uploads are stored in Google Cloud Storage with object-level encryption and signed-URL access.
Card and bank data is tokenized in the browser by Stripe Elements and routed to your own Stripe Connect account. Rentari.ai servers never see, log, or store a full PAN, CVV, or routing number, so PCI-DSS Level 1 obligations are inherited from Stripe's certified environment.
Account access uses bcrypt-hashed passwords plus optional 2FA delivered through Twilio. A short-lived JWT in an HttpOnly, Secure cookie authenticates each request, and role-based checks (landlord, manager, tenant, vendor) gate every API and UI route. The complete subprocessor list is on our trust page.
2. Vulnerability Disclosure
We welcome reports from security researchers. Email security@rentari.ai with reproduction steps and any proof-of-concept artifacts. We acknowledge new reports within 2 business days and aim to patch verified high-severity issues within 14 days, medium within 30, and low within 90.
In scope: the Rentari.ai application (Rentari.ai and *.Rentari.ai), our public APIs under /api/v1, and authentication and payment flows.
Out of scope: findings against our subprocessors (please report those upstream to Google, Stripe, or Twilio), denial-of-service tests, social engineering, and reports that depend on physical access. Please do not access tenant or landlord data beyond your own demo account, and do not publicly disclose until we have had a reasonable window to patch.
Submit a vulnerability report
Tracked, timestamped, and routed to security@rentari.ai. Get an instant AI-proposed severity and likely affected areas before you submit.
Thank you. Your report has been logged with id . We acknowledge new reports within 2 business days.
3. Incident Response
Application, database, and access logs stream to Google Cloud Logging with tamper-evident retention. Cloud SQL takes automated daily backups with point-in-time recovery enabled, and Cloud Storage objects are versioned so an accidental or malicious overwrite can be rolled back.
If we confirm unauthorized access to landlord or tenant data, we will (1) revoke affected credentials and rotate keys within 24 hours, (2) notify directly affected account owners by email within 72 hours of confirmation, and (3) publish a written post-incident summary covering root cause, scope, and remediation. State-specific breach notification timelines (for example California Civ. Code 1798.82) are followed where they apply.
4. Compliance & Auditing
Rentari.ai inherits the compliance posture of its underlying platforms. Hosting and storage run on Google Cloud, which is independently certified for SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, and PCI-DSS (see Google Cloud compliance reports). Payments are processed in Stripe's PCI-DSS Level 1 environment, and applicant background and credit checks are run by an FCRA-accredited consumer reporting agency.
Rentari.ai is a small, independently operated company and does not yet hold its own SOC 2 Type II report. We track dependencies for known vulnerabilities, run quarterly internal access reviews, and publish a full subprocessor inventory on our trust page. If your procurement process requires a vendor questionnaire (CAIQ, SIG Lite, or custom), email security@rentari.ai and we will respond within 5 business days.
Your data, encrypted and on the record.
Encrypted in transit and at rest, with every action written to an audit trail you can export.
