Security & Trust

Security & Trust

Last updated October 15, 2025

This page is maintained by LeaseFix Technologies LLC to answer common security, privacy, and reliability questions about LeaseFix. It reflects controls that are currently enabled in the LeaseFix Cloud Production Environment. It is not an independent certification of any specific customer deployment. Security is a shared responsibility between LeaseFix, the operator running a workspace, and end users.
On this page (9)

SOC 2 Type II attestation

LeaseFix maintains a SOC 2 Type II attestation report dated October 2025. Scope: LeaseFix Cloud Production Environment.

A copy of the report is available under NDA. Request it from security@leasefix.co.

Encryption and data protection

  • TLS 1.3 in transit for every request between browsers, mobile clients, integration partners, and LeaseFix.
  • AES-256 at rest for the primary database, object storage, and backup snapshots.
  • PII is encrypted at rest and tokenized during HTTPS/TLS 1.3 transit.
  • Per-workspace isolation of property, request, and uploaded content, with row-level security enforced in the database.

Role-based access control

LeaseFix enforces least-privilege RBAC. Roles are:

  • Global Admin — full workspace configuration and billing.
  • Portfolio Manager — properties, owners, approvals, and reports for assigned portfolios.
  • Coordinator — request triage, work order drafting, vendor dispatch, and tenant updates.
  • Vendor — secure-link view-only access to the specific work order assigned to them, with no visibility into other tickets, tenants, or portfolios.

Retention

  • Maintenance records retained for 7 years.
  • Audit logs retained for 3 years.
  • Backups: 30 days rolling, encrypted with AES-256.
  • Workspace export and deletion available on request; active-system deletion within 30 days, backup deletion within 90 days.

Availability and monitoring

99.9% availability SLA with 24/7 automated monitoring and a 1-hour critical response window. Current status is published at /status.

AI model policy and human authority

  • Customer data is not used to train foundation models without explicit opt-in.
  • Fine-tuning, where enabled, occurs on siloed, tenant-anonymized data sets per organization.
  • LeaseFix drafts, flags, and structures. A human manager or coordinator reviews before dispatching, sending, or changing priority.
  • AI features do not close work orders, dispatch vendors, or send tenant notifications without human approval.
  • Every AI suggestion is logged alongside the human decision so the audit trail is preserved.

AppFolio and Buildium integration security

LeaseFix supports live bi-directional API integrations with AppFolio and Buildium only. See /integrations for scope and setup details.

  • Permission scopes requested: workorders.write, tenant.read, unit.read.
  • Setup: API key generated by PMS admin; LeaseFix app authorization via OAuth 2.0.
  • Fallback: if the API handshake fails, LeaseFix reverts to hourly CSV export/import and sends a System Health Alert to the portfolio manager.

Vulnerability reporting

Report suspected security issues to security@leasefix.co. Please include reproduction steps and avoid accessing data that is not yours.

Privacy and legal

Full data handling details are in the Privacy Policy. Service terms, including AI limitations and the emergency-service disclaimer, are in the Terms of Service.