Draft — pending legal review
Trust & Security
Last updated April 28, 2026
Our Security Commitment
RaiseAppraisal handles sensitive financial and property data. We've built our security program around the AICPA SOC 2 Trust Services Criteria for Security, Confidentiality, and Privacy — the same framework used by enterprise SaaS companies. While we do not currently hold a third-party SOC 2 attestation, our controls are designed to align with these criteria.
This page describes our security and privacy practices in plain English. For specific control documentation, our Enterprise customers can request our Security & Compliance Briefing under NDA.
What We Mean by “SOC 2-Aligned”
SOC 2-aligned means our security program implements controls that map to the AICPA SOC 2 Trust Services Criteria. We do not currently hold a SOC 2 attestation report from an independent auditor.
We commit to pursuing a formal SOC 2 Type I attestation when our scale and resources support it. Until then, we describe our controls transparently and welcome customer security questionnaires.
Why be transparent about this?
SOC 2 has unfortunately become a marketing term that some companies misuse. We don't. If a customer asks “are you SOC 2 certified?” the honest answer is: “We are SOC 2-aligned in our control design, and we will pursue a formal attestation when scale supports it. Here's our control documentation.”
How We Protect Your Data
Encryption
| Where | What |
|---|---|
| In transit | TLS 1.2+ for all data exchanged between your browser and our servers, and between our servers and any sub-processor (Anthropic, Stripe, Vercel, etc.) |
| At rest | All data stored in our PostgreSQL database is encrypted using industry-standard methods (AES-256). All file storage (uploaded PDFs, generated documents) in Vercel Blob is encrypted at rest. Backups inherit encryption from production. |
| AI processing | Data sent to AI providers (Anthropic, Google) is encrypted in transit. Both providers contractually commit not to train models on customer API data. |
Access Control
- Multi-factor authentication required for all administrative access
- Role-based access controls limit who can see what
- All administrative actions are logged with timestamp, actor, and target
- Production access is audited monthly
- Departing team members lose access within 24 hours of separation
Network Security
- Hosted on Vercel infrastructure (compliant with major security frameworks; SOC 2 attested)
- Web Application Firewall on production traffic
- DDoS mitigation provided by hosting infrastructure
- Vulnerability scanning on all deployed code
Application Security
- All code reviewed before merge
- Static analysis on every commit (security linters)
- Dependency scanning for known CVEs
- Manual security review of any code change touching authentication, payment, or data export
Audit Logging
We log:
- All authentication events (signups, logins, logouts, password changes)
- All subscription state changes (subscribe, cancel, suspend, reactivate)
- All administrative access to user accounts
- All data export events
- All AI generation events (with audit hash of input and output)
Logs are retained for 5 years for class-action defense and security forensics.
Backup & Disaster Recovery
- Database backed up at least daily; backups encrypted and retained 35 days
- Backups stored in same regional geography (US-East) with redundancy across availability zones
- Disaster recovery drills run twice per year
- Recovery Time Objective (RTO): 4 hours
- Recovery Point Objective (RPO): 24 hours
How We Handle Privacy
What We Collect
See our Privacy Policy for the full list. Summary:
- Account info (email, name)
- Uploaded appraisal documents
- Subscription / payment info (handled by Stripe)
- Usage analytics (anonymized)
What We Don't Sell or Share
We do not sell your personal information. We do not share it for cross-context behavioral advertising. We do not have a “Do Not Sell or Share” toggle because the underlying activity does not occur.
Sub-Processors
Every third-party service we use is listed publicly at our Sub-Processor List. For Enterprise customers, we provide 30 days' notice before adding any new sub-processor.
Data Retention
- Uploaded PDFs: deleted after 90 days
- Generated documents: retained while subscription is active + 90 days after cancellation
- Account data: retained while active + 5 years
- See our internal Data Retention Schedule for full details
Your Rights
You can request access to, correction of, deletion of, or a copy of your data at any time. We respond within 45 days. See Privacy Policy for details, or submit a request via our DSR Intake Page.
How We Handle Incidents
Detection
We use:
- Application monitoring (errors, anomalies)
- Authentication anomaly detection
- Sub-processor security alerts
- User reports
Response
If we detect a security incident, we follow our internal Breach Notification Playbook. Key commitments:
- Investigation begins within 1 hour of detection
- Outside counsel engaged within 24 hours of confirmed breach
- Affected users notified per state law (typically within 30 days)
- Enterprise customers notified per their MSA terms (typically within 48-72 hours)
- Full incident report provided to affected parties within 30 days
History
We have not experienced any reportable security incidents to date. Any future incidents that result in user notification will be summarized here.
Vendor Security
We require all sub-processors to:
- Have appropriate security certifications (SOC 2 Type II preferred; ISO 27001 acceptable)
- Sign a Data Processing Agreement (DPA) with us
- Process data only for the services they provide
- Notify us promptly of any security incident affecting our data
- Maintain encryption and access controls equivalent to ours
We periodically re-evaluate sub-processors and may switch providers if security posture changes.
SOC 2 Trust Services Criteria — Our Implementation
We design controls aligned with the SOC 2 Security, Confidentiality, and Privacy criteria.
Security (Common Criteria)
| Criterion | Our Implementation |
|---|---|
| CC1 — Control Environment | Documented security program, assigned compliance ownership, annual training |
| CC2 — Communication & Information | Internal security policies, public privacy policy, customer security briefings on request |
| CC3 — Risk Assessment | Annual risk assessment; quarterly threat-model reviews |
| CC4 — Monitoring | Continuous monitoring + audit logging |
| CC5 — Control Activities | Specific controls documented in our Security Policies Checklist |
| CC6 — Logical & Physical Access | MFA, role-based access, hosting provider physical security |
| CC7 — System Operations | Change management, incident response, capacity monitoring |
| CC8 — Change Management | Code review, deployment approval, rollback capability |
| CC9 — Risk Mitigation | Insurance, vendor management, business continuity planning |
Confidentiality
| Criterion | Our Implementation |
|---|---|
| C1.1 — Identification of Confidential Information | Data classification policy; customer documents always treated as Confidential |
| C1.2 — Disposal of Confidential Information | Data Retention Schedule; secure deletion process |
Privacy
| Criterion | Our Implementation |
|---|---|
| P1.1 — Notice and Communication | Public Privacy Policy; CCPA Notice at Collection at upload step |
| P2.1 — Choice and Consent | Marketing email opt-in; double opt-in for new subscribers |
| P3.1 — Collection | Minimum data collection; no protected class data |
| P4.1 — Use, Retention, Disposal | Data Retention Schedule; HIPAA Safe Harbor de-identification for AI training data |
| P5.1 — Access | DSR intake process; 45-day response |
| P6.1 — Disclosure to Third Parties | Sub-processor list; DPAs in place |
| P7.1 — Quality | Validation of fact claims; user can correct inaccurate data |
| P8.1 — Monitoring and Enforcement | Privacy program managed by Privacy Officer; quarterly review |
Our Security & Compliance Roadmap
| Year | Milestone |
|---|---|
| Year 1 | SOC 2-aligned controls live; internal annual security review; vendor DPAs in place |
| Year 2 | SOC 2 readiness assessment by independent CPA firm; remediation; SOC 2 Type I audit (if Enterprise sales support) |
| Year 3 | SOC 2 Type II report; ISO 27001 evaluation if international expansion |
Progress on this roadmap is reviewed annually and updated here.
For Enterprise Customers
If you represent a lender, AMC, or other enterprise organization conducting a vendor security review, we can provide:
- This Trust & Security Page (public)
- Our Security & Compliance Briefing (under NDA — includes detailed control documentation)
- Our Sub-Processor List
- Our Data Processing Agreement (mutual)
- Customer security questionnaire responses (CAIQ, SIG-Lite formats)
To request: enterprise-security@raiseappraisal.com.
Reporting a Security Issue
If you discover a security vulnerability or have a security concern, email security@raiseappraisal.com.
We acknowledge receipt within 1 business day. We commit to:
- Treating all reports confidentially
- Working with reporters to understand and reproduce the issue
- Not pursuing legal action against good-faith security researchers
- Crediting reporters in any public disclosure (with their permission)
Contact
- Security
- security@raiseappraisal.com
- Privacy
- privacy@raiseappraisal.com
- Enterprise
- enterprise-security@raiseappraisal.com
- Malama Funding LLC, [address]
See also: Privacy Policy · Sub-Processor List