Tenantory | Property Management

SOC 2 Type II

Annual third-party audit of our security, availability, and confidentiality controls. Audit in progress — report Q3 2026

Stripe · PCI DSS Level 1

All payments handled by Stripe. We never see or store full card numbers. Active

GDPR & CCPA ready

Export, portability, deletion requests honored within 30 days. Data Processing Agreement available on request. Active

status.tenantory.com

Public uptime & incident page. Every outage is disclosed within 30 minutes with root-cause to follow. 99.98% 90-day uptime

The stack

Every layer is audited, so we don't have to build security from scratch.

Tenantory sits on top of platforms that are individually SOC 2-certified. We're not asking you to trust our homegrown crypto — we don't write any.

Edge · traffic in

Vercel Edge + Cloudflare

TLS 1.3 on every connection, HSTS preload, DDoS protection at Anycast edge. Per-workspace domain routing via proxy.ts. SOC 2 Type II.

Application · request processing

Clerk

Authentication, MFA, SSO (Scale/Enterprise). Passwords never reach our infrastructure — hashed with Argon2 on Clerk's side. SOC 2 Type II.

Next.js · Vercel Functions

Stateless Node.js + Fluid Compute. Every request enforces workspace_id scope. Environment isolation per deployment.

Stripe

All payments, cards, bank accounts. We get a customer_id and events back — never full numbers. PCI DSS Level 1.

Storage · at rest

Supabase (Postgres)

Row-level security enforces workspace_id at the database. AES-256 encryption at rest. Point-in-time recovery, 30-day backup retention. SOC 2 Type II.

Supabase Storage / Vercel Blob

Lease PDFs, tenant ID scans, maintenance photos. AES-256 at rest. Pre-signed URLs for access — expire in 60 min. No public buckets.

How we think about this

Four security principles, applied to every feature.

Least privilege by default.

A feature doesn't get database access unless it absolutely needs it. A user doesn't see another workspace's data — ever. Workspace isolation is enforced at the row level, not in application code, so a code bug can't leak data across tenants.

We don't roll our own crypto.

We use TLS 1.3 (not a custom channel), AES-256 (not a homegrown cipher), Argon2 via Clerk (not MD5 with salt). Every cryptographic primitive is battle-tested and audited. Boring is safer than clever.

Audit logs on every write.

Every create, update, and delete is logged with user, IP, timestamp, and payload diff. Logs are append-only and retained for 2 years. If something weird happens, we can reconstruct exactly what and when.

Your data is your data.

You can export every byte of your workspace to CSV or JSON in one click. Cancel anytime and we delete everything within 30 days (keeping only what regulations require, like transaction logs). We don't hold data hostage.

What we actually store

The receipts. Every field, every encryption state.

This is the inventory, not a marketing summary. If you need more detail, request our Data Processing Agreement.

Data	What it's used for	At rest	In transit
Tenant name, email, phone	Login, rent reminders, portal access, lease variables	Encrypted	TLS 1.3
Tenant DOB & SSN last 4	Credit check submission only — purged after 90 days	Tokenized	TLS 1.3
Government ID scans	Application verification · pre-signed URLs only	Encrypted	TLS 1.3
Bank account / card numbers	Never touched — held entirely by Stripe	Not stored	Not stored
Passwords	Never touched — hashed by Clerk with Argon2	Hashed	TLS 1.3
Lease PDFs	Signed lease storage, tenant download	Encrypted	TLS 1.3
Maintenance photos	Ticket context, handyman reference	Encrypted	TLS 1.3
Audit logs	Who did what, when, from where · 2-year retention	Encrypted	TLS 1.3
Analytics / usage telemetry	Workspace-aggregated counts only · no PII	No PII	TLS 1.3

If something goes wrong

Our incident playbook, plainly.

Every incident we've ever had (zero P0s to date, five P1s) has been disclosed to affected customers by email within 30 minutes of detection — not 72 hours, not "by EOD."

Acknowledged publicly on status.tenantory.com within 15 min
Affected customers emailed directly within 30 min
Full root-cause postmortem published within 5 business days
If data was exposed, regulators + affected users notified per GDPR/CCPA timelines

Tenant data specifics

Who can see what in your workspace.

Every row in the database is scoped to a workspace_id. Row-level security policies enforce this at Postgres — not just in application code.

You & your team: full access to your workspace, scoped by role (Admin / Manager / Viewer)
Your tenants: only their own data — rent, lease, maintenance, documents
Vendors: only tickets you assign them, scoped by job
Tenantory engineers: only via break-glass access, logged, and only with your approval

Security FAQ

The questions people actually ask.

Primary Postgres in AWS us-east-1 (N. Virginia). Backups replicated to us-west-2 (Oregon). Files in Supabase Storage / Vercel Blob in the same US regions. Enterprise customers can request EU residency (eu-west-1) — add-on.

No, not by default. Our engineers can see metadata and workspace-aggregated counts. To access raw tenant data (say, to debug an issue you reported), we require your written approval via the in-app "Grant support access" toggle. Every break-glass access is logged and you get an email after the fact. Approval auto-expires in 24 hours.

You get 30 days to export everything (CSV + JSON). After 30 days, your workspace is deleted from active systems. Encrypted backups age out 90 days after deletion. Financial transaction records are retained per IRS / state requirements (typically 7 years) but anonymized.

Yes, on Scale and Enterprise plans. Via Clerk we support Google Workspace, Microsoft Entra (Azure AD), Okta, and generic SAML/OIDC. Standard SCIM user provisioning on Enterprise.

Every user can enable TOTP (Google Authenticator / Authy / 1Password) from Settings → Security. Admins can require MFA for all workspace members on Pro+ plans. SMS MFA is supported but discouraged — we prefer TOTP.

No. Tenantory is not designed for protected health information. Don't store PHI in tenant records, maintenance notes, or messages. If you need HIPAA coverage for assisted-living properties, talk to us — it's on the Enterprise roadmap but not available today.

Yes — email security@tenantory.com. Our standard DPA follows the EU SCCs (Module Two). Turnaround is 1–2 business days.

We run an annual third-party penetration test (currently scheduled for August 2026 with Include Security). Redacted report available to Scale/Enterprise customers under NDA. Internal red-team exercises happen quarterly.

Responsible disclosure

Found a bug? We pay for it.

If you find a security issue, email security@tenantory.com. Don't post it on Twitter. We respond within 24 hours, fix within the severity SLA (critical: 24h / high: 72h / medium: 2 weeks), and pay bounties: $500–$5,000 depending on impact. PGP key available at tenantory.com/.well-known/security.txt.

Report a bug

Your tenants' data isn't a side project.