# Security & Compliance # Enterprise security. US-resident. Audited. Your lease data stays in the United States, encrypted, isolated, and never used to train AI models. [Visit Trust Center](https://trust.leasepilot.co)[Contact Security Team](mailto:security@leasepilot.co) SOC 2 Type IIAES-256 at restTLS 1.2+ in transitUS infrastructure Security at a Glance ## Built for enterprise requirements. § 01 ### SOC 2 Type II Independently audited controls for security, availability, and confidentiality. Report available under NDA via our Trust Center. § 02 ### AES-256 Encryption All data encrypted at rest using AES-256 or equivalent at the storage layer. § 03 ### TLS 1.2+ All data in transit protected with TLS 1.2 or higher. § 04 ### High Availability Continuous system health monitoring. Specific SLA terms in customer agreements. § 05 ### US-Based Infrastructure All infrastructure located in the United States. Your data stays here. § 06 ### Annual Pen Testing Third-party penetration testing conducted annually. Findings remediated on a risk-prioritized basis. Infrastructure ## Secure by design. All infrastructure is located in the United States. Logical tenant separation ensures each customer’s lease data, templates, and configurations are isolated and inaccessible to other customers. Hosting Enterprise cloud infrastructure Database Managed database provider Tenancy Multi-tenant with logical separation Deployment Fully containerized, defined as code (IaC) Access Control ## Controlled access at every level. SSO, 2FA, role-based permissions, and audit logging. Your team controls who sees what. ### Two-Factor Authentication 2FA via authenticator app, available for all user accounts. ### Single Sign-On SSO via SAML and OIDC through your enterprise identity provider. ### Role-Based Access Control Granular user roles ensure team members only access the data and features they need. ### Need-to-Know Access Internal employee access to customer data is strictly limited and granted only when necessary. ### Audit Logging Comprehensive activity logs track all access and changes for compliance and security review. AI Data Protection - Your data is not sent to any third-party AI service - Your data is never used to train models - All AI prompts and outputs are stored in isolated, company-specific databases - No cross-tenant data access, your data is only accessible within your organization - AI processing inherits the same encryption and access controls as all platform data AI Security ## Rule-based first. AI when you choose. LeasePilot’s core platform is rule-based automation, not AI. AI-powered features are available as an optional, opt-in capability for tasks like clause suggestions and lease analysis. AI runs on a private model deployment, not a consumer AI service. Your data is not sent to any third party and is never used to train models. Operational Security ## People, processes, policies. Topic · 01 ### Employee Security - Background and reference checks for all employees - Regular security awareness training - Code of conduct and confidentiality agreements - Formal onboarding and offboarding processes Topic · 02 ### Vulnerability Management - Automated scanning and timely patch management - Critical vulnerabilities prioritized immediately - Remediation tracking maintained - Pentest report available upon request via Trust Center Topic · 03 ### Incident Response - Formal incident response policy - Incident review process implemented - Affected customers notified promptly per contractual and legal obligations Topic · 04 ### Data Retention & Deletion - Formal data management and retention policy - Data export available upon contract termination - Data deletion available upon request Business Continuity ## Highly available. Lease operations can’t wait. LeasePilot targets high availability with continuous system health monitoring. Specific SLA terms are included in customer agreements. Our infrastructure is fully containerized and defined as code, enabling rapid recovery and environment provisioning. Disaster recovery plans are formally documented and tested regularly. Availability High availability; SLA in agreements Monitoring Continuous system health monitoring Disaster Recovery Formally documented plan, tested regularly Data Recovery Established recovery process Infrastructure Dockerized / IaC, rapid recovery and provisioning RTO / RPO Available on request Live Status Subprocessors ## Vetted partners, named openly. All subprocessors undergo security review before onboarding and are monitored through a formal vendor management program. Subprocessor Purpose ![LeasePilot](/logo-pilcrow.svg?dpl=dpl_2umEzFMLLmFZHhmrz8MoJu6VB8Uh)LeasePilot ![Clausebook](/logo-clausebook.svg?dpl=dpl_2umEzFMLLmFZHhmrz8MoJu6VB8Uh)Clausebook Microsoft Azure Cloud infrastructure & hosting Vercel Application hosting PlanetScale Database hosting Control Plane Infrastructure management & security Azure OpenAI Service AI/ML processing Auth0 Authentication services WorkOS Enterprise SSO Liveblocks Real-time collaboration Sendgrid Transactional email Twenty CRM & sales pipeline Intercom Customer support Zendesk Customer support Wootric Customer feedback Mixpanel Product analytics LogRocket Session monitoring Sentry Error monitoring Oneleet Security & compliance (SOC 2) For a complete and up-to-date list of subprocessors, visit our [Trust Center](https://trust.leasepilot.co/?tab=subprocessors). Need more detail ## We make it easy to verify. SOC 2 report, pentest results, and security documentation are available through our Trust Center. For questionnaires or specific questions, reach out directly. [Visit Trust Center](https://trust.leasepilot.co)[Schedule a Demo](/demo) [security@leasepilot.co](mailto:security@leasepilot.co)