Built for the trust required to handle rent.
Proprietio moves real money for real landlords every day. This page lists exactly what we do — and openly what we don't (yet) claim. No security theatre.
Controls in production today
Verifiable in our codebase + provider stack. Updated May 2026.
All rent collection runs through Stripe Connect. Card numbers never touch our servers — Stripe holds PCI scope as a Level 1 service provider. We see token IDs only.
Every request between your browser, the Proprietio app, and our API is HTTPS. HTTP is force-redirected. Strict-Transport-Security headers prevent downgrade attacks.
Passwords are hashed with bcrypt (cost factor 10) before storage. Even if a database dump leaked, plaintext passwords could not be recovered. We never store, log, or email passwords.
Every record (units, tenants, leases, payments, invoices, owner reports) is scoped by organizationId. Server-side guards reject any cross-org read or write at the route layer — not just the UI.
Three roles: organization admin, staff, and tenant. Each role maps to a strict set of allowed routes and operations. Tenants only see their own lease, invoices, and payments — never another tenant's.
Lease creation, rent changes, payment edits, tenant invites and password resets are recorded in an activity feed. Every entry is timestamped with the actor and is visible to organization admins.
Application + database run on Render in US-East data centers. Postgres uses encrypted block storage at rest. Render holds SOC 2 Type II — see render.com/security.
Postgres is automatically backed up by our infrastructure provider on a daily cadence with point-in-time recovery. Backups are stored in encrypted form, separately from the production database.
When tenants pay through Proprietio, funds settle directly to your Stripe Connect account — never through a Proprietio holding account. We can't freeze, redirect, or hold your rent money.
Anything that costs money or sends to a tenant is human-approved. Marketing-spend lifts are hard-capped to the budget you set. The one auto-acting surface is early delinquency reminders — plain email, one-click unsubscribe, full audit trail. See /ai for the full posture.
Payments — how the money flows
We use Stripe Connect with destination charges. When a tenant pays rent, Stripe charges the card and routes the payout directly to your connected Stripe account. Proprietio is the platform — we orchestrate the charge, but we never act as a custodian of your funds.
- ✓ Card numbers, CVCs, and bank account numbers stay inside Stripe's PCI-DSS Level 1 environment.
- ✓ Stripe sends payouts on the schedule you set with Stripe — Proprietio cannot delay, redirect, or freeze payouts.
- ✓ Refund and dispute handling go through Stripe's standard processes.
- ✓ Offline payments (Zelle, Venmo, wire, check, cash) you record in Proprietio never leave your control either — we just track them.
Honest about what we don't (yet) have
Most security pages list certifications. We list ours — and the ones we haven't earned yet, with the work we're doing in their place. If you need a specific certification today, you'll know before signing up.
If your business requires any of the above before adopting a platform, please contact us. We'll tell you exactly where we are on the roadmap and won't waste your evaluation cycle pretending otherwise.
Found a vulnerability? Tell us first.
We follow responsible disclosure. If you believe you've identified a security issue, email security@proprietio.com with a description of the issue, the steps to reproduce, and the affected URL or endpoint.
We commit to acknowledging your report within 2 business days, providing a triage update within 7 days, and crediting you (with your permission) once the issue is resolved. We don't currently offer a paid bug bounty.
Have a specific question?
Architecture, data residency, vendor management — ask us anything before you sign up.
See also: Privacy policy · Terms of service