Security & Trust
Your data, protected.
How we secure your data, protect your privacy, and earn the trust of brokerages, attorneys, and property managers.
How we protect your data
Security built into every layer.
Security and privacy were built into the platform from the start, at every layer.
Encryption
Encrypted in transit (TLS 1.3) and at rest (AES-256). Passwords and keys are hashed; API keys are shown once and never stored in the clear.
Authentication & access
Phishing-resistant passkeys (WebAuthn/FIDO2), two-factor authentication, and Google SSO. Role-based access and per-organization isolation are enforced on every query.
Infrastructure
Managed cloud hosting with isolated production environments. Encrypted databases with automated daily backups and point-in-time recovery.
Network & application security
Cloudflare WAF, DDoS protection, and bot mitigation on every public endpoint, plus rate limiting, strict input validation, and protection against common injection attacks.
Monitoring & audit logging
Tamper-evident, append-only audit trails for sensitive operations, with real-time alerting. Secrets and sensitive data are never written to logs.
Secure development & change management
Every change passes automated security checks (dependency, CVE, and secret scanning) before it ships. All code is reviewed, version-controlled, and reversible.
AI & model security
AI runs on isolated infrastructure. We don't permit the model providers we use to train on your data, and we send only the data a task needs — never more than necessary.
Data privacy
We process publicly available real estate records, including deeds, mortgages, tax and assessment data, and permits, drawn from federal, state, county, and municipal sources across the markets we cover, alongside authorized MLS data. Personal client data is never sold or shared, and Daniel's Law redaction is supported for protected persons. See our Privacy Policy for full details.
Compliance & standards
Held to your standards.
The people who use Tortus work under fair housing rules, MLS data controls, and client privacy obligations. We hold our controls to the same ones.
SOC 2
Our controls are aligned to the SOC 2 Trust Services Criteria.
MLS data (VOW & IDX)
For each MLS we work with, including REBNY, we honor audit trails for VOW, public-display and status rules for IDX, and timely data refresh.
Daniel's Law
Redaction capability for protected persons.
Payments (PCI)
Card payments are processed by Stripe, a PCI-DSS Level 1 service provider. Tortus never stores raw card numbers.
Privacy rights (GDPR / CCPA)
We honor access, correction, and deletion requests for personal information, as described in our Privacy Policy. Privacy Policy.
Sub-processors
The vendors that help us run Tortus.
We work with a small set of established providers to deliver the platform. Each is bound by data-protection obligations and maintains its own industry attestations (such as SOC 2 Type II).
| Provider | Purpose |
|---|---|
| Amazon Web Services | Application database, hosting, and Bedrock AI model inference |
| Cloudflare | CDN, DNS, WAF, and media storage (R2) |
| Anthropic, OpenAI, Google | AI model inference |
| Plaid | Applicant income & asset verification (Tortus Apply) |
| Checkr | Applicant background & credit screening (Tortus Apply) |
| Supabase | Operational metadata |
Reliability & incident response
Prepared for the bad day, too.
Backups, a documented incident process, and clear retention windows mean we can recover quickly and tell you what happened.
Backup & recovery
Automated daily database backups with point-in-time recovery. Media is stored with eleven-nines durability.
Incident response
A documented response process with severity-based targets. We notify affected customers of any confirmed breach without undue delay.
Data retention
Customer data is retained for the life of your account and deleted on request or within 30 days of termination. Audit logs are kept for one year and API usage logs for 90 days. Live status is available at our status page.
Responsible disclosure
Found something? Tell us.
We investigate every report and ask that you give us a reasonable window to fix the issue before disclosing it publicly. Email security@tortus.io; our security.txt lists current contact details.
Last updated: June 18, 2026