SOC 2 Type II attestation
LeaseFix maintains a SOC 2 Type II attestation report dated October 2025. Scope: LeaseFix Cloud Production Environment.
A copy of the report is available under NDA. Request it from security@leasefix.co.
Encryption and data protection
- TLS 1.3 in transit for every request between browsers, mobile clients, integration partners, and LeaseFix.
- AES-256 at rest for the primary database, object storage, and backup snapshots.
- PII is encrypted at rest and tokenized during HTTPS/TLS 1.3 transit.
- Per-workspace isolation of property, request, and uploaded content, with row-level security enforced in the database.
Role-based access control
LeaseFix enforces least-privilege RBAC. Roles are:
- Global Admin — full workspace configuration and billing.
- Portfolio Manager — properties, owners, approvals, and reports for assigned portfolios.
- Coordinator — request triage, work order drafting, vendor dispatch, and tenant updates.
- Vendor — secure-link view-only access to the specific work order assigned to them, with no visibility into other tickets, tenants, or portfolios.
Retention
- Maintenance records retained for 7 years.
- Audit logs retained for 3 years.
- Backups: 30 days rolling, encrypted with AES-256.
- Workspace export and deletion available on request; active-system deletion within 30 days, backup deletion within 90 days.
Availability and monitoring
99.9% availability SLA with 24/7 automated monitoring and a 1-hour critical response window. Current status is published at /status.
AI model policy and human authority
- Customer data is not used to train foundation models without explicit opt-in.
- Fine-tuning, where enabled, occurs on siloed, tenant-anonymized data sets per organization.
- LeaseFix drafts, flags, and structures. A human manager or coordinator reviews before dispatching, sending, or changing priority.
- AI features do not close work orders, dispatch vendors, or send tenant notifications without human approval.
- Every AI suggestion is logged alongside the human decision so the audit trail is preserved.
AppFolio and Buildium integration security
LeaseFix supports live bi-directional API integrations with AppFolio and Buildium only. See /integrations for scope and setup details.
- Permission scopes requested: workorders.write, tenant.read, unit.read.
- Setup: API key generated by PMS admin; LeaseFix app authorization via OAuth 2.0.
- Fallback: if the API handshake fails, LeaseFix reverts to hourly CSV export/import and sends a System Health Alert to the portfolio manager.
Vulnerability reporting
Report suspected security issues to security@leasefix.co. Please include reproduction steps and avoid accessing data that is not yours.
Privacy and legal
Full data handling details are in the Privacy Policy. Service terms, including AI limitations and the emergency-service disclaimer, are in the Terms of Service.