PropTech Integrations

Pillar 03 · Security

In CRE, your data is the deal.
Make it secure.

Rent rolls, investor PII, LP commitments, off-market terms — the data that makes AI useful is exactly the data you cannot afford to leak. Most AI tools route it through shared public endpoints you don't control. We build the opposite: private AI agents and dedicated infrastructure, engineered so your deal data never leaves your control.

What we deliver

Two ways to run AI that answers only to you.

Secure AI Agents

A private assistant your team reaches on a secure application. It answers a named allowlist of your people and no one else — and lives on infrastructure with no public doorway.

  • Named allowlist — everyone else is refused
  • One revocable certificate per person
  • Every session logged

Fully Private AI Hosting

Frontier open models running on dedicated GPUs inside your own cloud. Prompts, documents, and replies never reach a third-party AI vendor. For mandates where nothing may leave — LP data, fund financials, off-market pipelines.

  • 0 bytes of prompts or documents shared with any AI vendor
  • Frontier open models, served side by side
  • Flat, predictable infrastructure cost — no per-message fees

Enterprise-grade security.

Designed to support the data-protection obligations your clients and counsel care about — GDPR, CCPA, and the confidentiality terms already in your agreements.

ISO/IEC 42001:2023

SOC 2 Type II

Encrypted end-to-end

No training on user data

CCPA

GDPR

The architecture

Zero public entry points, by design.

Your deployment runs in your own cloud account: you own the keys, the code, and the logs, and every path your data can travel is written down and reviewable.

Your team

Named individuals only — one revocable certificate per person.

Your private cloud environment

AI agents

Hardened containers: non-root, read-only, zero kernel privileges.

Private AI models

Frontier open models on dedicated GPUs — plus proprietary models under business terms when you choose.

Encrypted secrets vault

Immutable audit logs

Continuous scanning

Your private channels

The agent dials out to where your team already works. Nothing dials in.

The agent dials out to your channels; nothing dials in. Your team enters through one cryptographically verified door.

Under the hood

The technology — and why each choice matters.

Private-by-design network

The agent has no public address. It dials out; nothing on the internet can dial in.

Certificate-based VPN

Access requires a per-person cryptographic identity — revocable individually, not a shared password.

Customer-managed encryption

Credentials sealed in a secrets manager under a key you own and can revoke at any time.

Hardened OS in the cloud

Non-root, read-only, zero kernel privileges. If anything is compromised, it has nowhere to go.

Continuous vulnerability scanning

Every component is re-examined as new threats are published — not just at install.

Least-privilege everything

Each part may touch exactly one image, one vault, one log stream. Nothing holds broad access.

Data privacy

Privacy is not a feature we add. It's the position we start from.

  • Encrypted end to end

    TLS in transit; sealed at rest under a key only you control. Revoke it and the data is unreadable — even to us.

  • Access you can name

    The agent answers a named allowlist — everyone else is refused. One certificate per person; every session logged.

  • Never used to train AI

    Private models keep prompts entirely in-network; any external calls run under business terms that bar training.

  • Minimal retention, on paper too

    Runtime state is ephemeral — nothing accumulates unless you choose. NDA and DPA close the loop on paper.

During an engagement

How we handle your data while we work.

  • What we access

    During an audit we typically review tool inventories, workflow documentation, and representative samples of the documents your teams handle — rent rolls, LOIs, reports. We ask for the minimum sample that makes the analysis honest.

  • What we don't take

    We work in your systems under accounts you provision and can revoke. Client data doesn't leave your environment for our convenience; analysis artifacts we create reference your data rather than copying it wherever possible.

  • NDA before anything

    Every engagement begins with a mutual NDA — before the first interview, before the first screen share. Yours or ours, whichever your counsel prefers.

  • No training on your data

    Nothing we see in your engagement is used to train AI models, ours or anyone else's. Where we use AI tooling in our own analysis, it runs under enterprise agreements with training disabled.

  • Retention & return

    At engagement end, access is revoked, working copies are destroyed, and we certify it in writing. What we keep is what we delivered to you: the policy, register, map, and roadmap.

  • If something goes wrong

    You get a named contact and a committed notification window for any suspected incident involving your data. That commitment is in the engagement agreement, not just this page.

Questions your IT or counsel wants answered before an engagement? Send them through the contact page — security questionnaires welcome.

Next step

Bring your security questionnaire.

The discovery call is a fine place for your IT lead's hardest questions. We'd rather answer them before the engagement than after.