Flat pricingNo per-door feeNo sales call
Security & Trust

Built for the trust required to handle rent.

Proprietio moves real money for real landlords every day. This page lists exactly what we do — and openly what we don't (yet) claim. No security theatre.

Controls in production today

Verifiable in our codebase + provider stack. Updated May 2026.

We never see your card

All rent collection runs through Stripe Connect. Card numbers never touch our servers — Stripe holds PCI scope as a Level 1 service provider. We see token IDs only.

TLS encryption in transit

Every request between your browser, the Proprietio app, and our API is HTTPS. HTTP is force-redirected. Strict-Transport-Security headers prevent downgrade attacks.

bcrypt password hashing

Passwords are hashed with bcrypt (cost factor 10) before storage. Even if a database dump leaked, plaintext passwords could not be recovered. We never store, log, or email passwords.

Multi-tenant data isolation

Every record (units, tenants, leases, payments, invoices, owner reports) is scoped by organizationId. Server-side guards reject any cross-org read or write at the route layer — not just the UI.

Role-based access control

Three roles: organization admin, staff, and tenant. Each role maps to a strict set of allowed routes and operations. Tenants only see their own lease, invoices, and payments — never another tenant's.

Activity log on sensitive ops

Lease creation, rent changes, payment edits, tenant invites and password resets are recorded in an activity feed. Every entry is timestamped with the actor and is visible to organization admins.

US-based managed hosting

Application + database run on Render in US-East data centers. Postgres uses encrypted block storage at rest. Render holds SOC 2 Type II — see render.com/security.

Daily database backups

Postgres is automatically backed up by our infrastructure provider on a daily cadence with point-in-time recovery. Backups are stored in encrypted form, separately from the production database.

Tenant-side rent protection

When tenants pay through Proprietio, funds settle directly to your Stripe Connect account — never through a Proprietio holding account. We can't freeze, redirect, or hold your rent money.

AI guard-rails (Proprietio AI)

Anything that costs money or sends to a tenant is human-approved. Marketing-spend lifts are hard-capped to the budget you set. The one auto-acting surface is early delinquency reminders — plain email, one-click unsubscribe, full audit trail. See /ai for the full posture.

Payments — how the money flows

We use Stripe Connect with destination charges. When a tenant pays rent, Stripe charges the card and routes the payout directly to your connected Stripe account. Proprietio is the platform — we orchestrate the charge, but we never act as a custodian of your funds.

  • Card numbers, CVCs, and bank account numbers stay inside Stripe's PCI-DSS Level 1 environment.
  • Stripe sends payouts on the schedule you set with Stripe — Proprietio cannot delay, redirect, or freeze payouts.
  • Refund and dispute handling go through Stripe's standard processes.
  • Offline payments (Zelle, Venmo, wire, check, cash) you record in Proprietio never leave your control either — we just track them.

Honest about what we don't (yet) have

Most security pages list certifications. We list ours — and the ones we haven't earned yet, with the work we're doing in their place. If you need a specific certification today, you'll know before signing up.

SOC 2 Type II
In preparation · 2026 H2 audit
What we do instead: We already operate the underlying controls — least-privilege access, encrypted storage, change-management on every deploy, audit logging on sensitive ops, documented incident-response runbook. The gap is the formal third-party attestation, not the practices.
ISO 27001
Not pursuing in 2026
What we do instead: Limited demand from our US property-management buyer base. We'll re-evaluate alongside SOC 2 Type II depending on enterprise pipeline.
Third-party penetration test
Internal review only · external test before SOC 2
What we do instead: Automated dependency scanning (npm audit + Dependabot) on every build, peer code review on every merge, and OWASP Top 10 awareness in the dev process. A formal external pen test is sequenced before the SOC 2 audit window.
24/7 SOC monitoring
On-call rotation, not a SOC
What we do instead: Render monitors the platform layer (uptime, infrastructure-level alerts). We monitor application logs ourselves and operate a founder-led on-call rotation for critical incidents — small team, fast response.
Bug bounty program
Responsible disclosure only
What we do instead: We accept reports at security@proprietio.com, acknowledge within 2 business days, and credit researchers (with permission) once issues are resolved. No paid bounty yet — that comes after SOC 2.
HIPAA / FedRAMP / PCI-DSS Level 1
Not applicable
What we do instead: We don't process protected health information, US-government workloads, or store cardholder data directly. Card data is held by Stripe (PCI-DSS Level 1). HIPAA and FedRAMP don't apply to our use case.

If your business requires any of the above before adopting a platform, please contact us. We'll tell you exactly where we are on the roadmap and won't waste your evaluation cycle pretending otherwise.

Found a vulnerability? Tell us first.

We follow responsible disclosure. If you believe you've identified a security issue, email security@proprietio.com with a description of the issue, the steps to reproduce, and the affected URL or endpoint.

We commit to acknowledging your report within 2 business days, providing a triage update within 7 days, and crediting you (with your permission) once the issue is resolved. We don't currently offer a paid bug bounty.

Have a specific question?

Architecture, data residency, vendor management — ask us anything before you sign up.

See also: Privacy policy · Terms of service