Information Security Policy

RLTRsync handles sensitive personal data on behalf of real estate agents, brokerages, open house visitors, and buyer agents who submit offers through our platform. This Information Security Policy describes the technical and organizational measures we take to protect that data — and the responsibilities of anyone who accesses or operates our systems.

This policy applies to all RLTRsync employees, contractors, and third-party service providers who access company systems, customer data, or infrastructure in any capacity.

1. Scope & Applicability

This policy covers:

• All personal data collected or processed through the RLTRsync platform, including agent account data, open house visitor data, offer submission data, financial documents, SMS/MMS communications, and payment records
• All systems, servers, databases, and third-party services used to operate the platform
• All personnel — employees, contractors, and vendors — who access RLTRsync systems or customer data in any capacity

This policy should be read alongside our Privacy Policy and Terms & Conditions, both of which are incorporated by reference.

2. Data Classification

We classify data into three tiers to ensure appropriate handling:

Sensitive

• Offer submission financial documents: proof of funds letters, mortgage pre-approval letters, and lender information
• Offer terms and purchase price data submitted by buyer agents
• Open house visitor signatures and signed disclosure documents
• SMS/MMS message content and phone numbers
• Agent account credentials and authentication tokens
• Any data subject to real estate compliance regulations (e.g., NYS Agency Disclosure, Fair Housing)

Confidential

• Agent profile data: name, email, phone, brokerage, listing information
• Buyer agent contact details and license information submitted via offer intake
• CRM sync data and lead records
• Usage data and analytics tied to individual accounts

Internal

• Aggregated, anonymized analytics
• Internal business operations data not linked to individual users

3. Access Controls

Principle of Least Privilege

Access to systems and customer data is granted on a need-to-know basis. Personnel are given the minimum level of access required to perform their role. Access rights are reviewed regularly and revoked immediately upon role change or termination.

Authentication

• All internal systems require strong, unique passwords
• Multi-factor authentication (MFA) is required for all administrative access to production systems, databases, and cloud infrastructure
• Shared credentials are prohibited

User Account Security

• Agent accounts are protected by password and optional MFA
• Session tokens expire after a period of inactivity
• Failed login attempts trigger rate limiting and account lockout protections
• Users are responsible for maintaining the confidentiality of their own credentials

Offer Data Access

• Offer submissions and uploaded financial documents are accessible only to the listing agent who created the intake link and their authorized brokerage members
• Buyer agents who submit offers can view their own submission status but cannot access other submissions
• RLTRsync platform administrators may access offer data only for support, security, and compliance purposes — never for commercial use
• All access to financial documents by platform staff is logged with timestamp and user identity

Administrative Access

• Production database access is restricted to authorized engineers only
• All administrative actions on production systems are logged with timestamps and user identity
• Remote access to infrastructure requires VPN or equivalent secure tunnel

4. Encryption & Transmission

Data in Transit

• All data transmitted between users and our platform is encrypted using TLS 1.2 or higher (HTTPS enforced across all endpoints)
• HTTP connections are automatically redirected to HTTPS
• Financial document uploads are transmitted over encrypted connections directly to secure storage
• SMS/MMS communications are transmitted via Twilio using their encrypted channels

Data at Rest

• Sensitive and confidential data stored in our databases is encrypted at rest
• Financial documents (proof of funds, pre-approvals) are stored in encrypted object storage with server-side encryption
• Encryption keys are managed separately from the data they protect
• Signed disclosure documents and visitor signatures are stored in encrypted form

Passwords

User passwords are never stored in plain text. We use industry-standard hashing algorithms (bcrypt or equivalent) with appropriate salt rounds.

5. Infrastructure & Hosting

Cloud Infrastructure

RLTRsync is hosted on reputable cloud infrastructure providers that maintain robust security certifications including SOC 2 and ISO 27001. We inherit and build upon their physical and network security controls.

Network Security

• Production systems are isolated in private networks, not publicly accessible except through defined API endpoints
• Firewalls and security groups restrict inbound and outbound traffic to only what is required
• Intrusion detection monitoring is applied to network traffic

Vulnerability Management

• Dependencies and libraries are monitored for known vulnerabilities and updated promptly
• Critical security patches are applied within 24–72 hours; others within regular release cycles
• Code is reviewed for common security vulnerabilities (OWASP Top 10) prior to deployment

Backups

• Customer data is backed up on a regular, automated schedule
• Backups are encrypted and stored separately from production systems
• Backup integrity is tested periodically to ensure recoverability

6. Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. RLTRsync does not store, process, or transmit credit card numbers, CVV codes, or bank account information on our own systems. Payment data is transmitted directly from your browser to Stripe's secure servers.

7. Third-Party & Vendor Security

We share data with third-party service providers only as necessary to operate the platform. Our primary data processors include:

• Twilio — SMS/MMS; SOC 2 Type II certified
• Stripe — Payments; PCI DSS Level 1 certified
• Cloud hosting provider — Infrastructure; SOC 2 and ISO 27001 certified

Third-party integrations (e.g., Follow Up Boss, HubSpot, kvCore, Zapier) receive only the data necessary for their specific function, at the agent's direction. Offer submission data and financial documents are never forwarded to CRM integrations or third-party tools without explicit action by the listing agent.

8. Open House & Visitor Data

Open house visitor data — including names, contact information, and signed disclosure documents — involves members of the public who may not be RLTRsync account holders.

• Visitor sign-in data is associated only with the hosting agent's account and is not accessible to other agents or third parties without the agent's direction
• Signed disclosure documents are stored in encrypted form and accessible only to the collecting agent and authorized platform administrators
• Visitor data is never used for marketing, profiling, or any purpose beyond operating the platform
• Agents are responsible for informing visitors of data collection at the point of sign-in, consistent with applicable laws in their jurisdiction

9. Offer Management & Financial Documents

Offer management involves some of the most sensitive data on the platform — financial documents and confidential transaction terms submitted by buyer agents on behalf of their clients. We apply heightened security controls to this data category.

Document Storage

• All uploaded financial documents (proof of funds, pre-approval letters, addenda) are stored in encrypted object storage with server-side encryption
• Documents are stored with randomized, non-guessable storage keys — they cannot be accessed by guessing a URL
• Document access requires authenticated session and verified association with the correct listing agent account

Access Controls

• Financial documents are accessible only to the listing agent, their authorized brokerage members, and RLTRsync platform administrators (for support and compliance purposes only)
• Buyer agents who submit documents cannot view documents submitted by other buyer agents on the same listing
• All document downloads and access events are logged

Data Minimization

• We collect only the offer and document data necessary to operate the intake and comparison features
• Financial documents are not indexed, analyzed, or processed beyond storage and display to the authorized listing agent
• We do not extract or store financial figures from uploaded documents in any separate database

Transmission

• Document uploads by buyer agents are transmitted over TLS-encrypted connections
• Document download links are time-limited and require authentication
• Documents are never transmitted via SMS, unencrypted email, or any non-secure channel by our platform

10. Data Retention & Deletion

Retention Periods

• Agent account data — Retained for the life of the account, plus a reasonable wind-down period after cancellation
• Offer submission data & financial documents — Retained for a minimum period consistent with real estate transaction record-keeping requirements in the applicable jurisdiction (typically 3–5 years). Financial documents are retained only as long as necessary for the active transaction review period unless the agent's jurisdiction requires longer retention
• Open house visitor data & signed disclosures — Retained as required by applicable real estate record-keeping regulations, typically 3–5 years depending on jurisdiction
• SMS/MMS records — Retained for a minimum period required by applicable law, then deleted or anonymized
• Payment records — Retained as required by tax and financial regulations, typically 7 years
• Usage and diagnostic logs — Retained for up to 90 days, then purged unless required for an active security investigation

Deletion

Upon account cancellation, personal data is marked for deletion and removed from active systems within a reasonable period, subject to legal retention obligations. Backup copies may persist for a limited time before being purged in the normal backup rotation cycle. You may request deletion of your data at any time by contacting contact@rltrsync.com.

11. Incident Response

Detection & Containment

We maintain monitoring and alerting on production systems to detect anomalous access, unusual data transfers, and potential security events. Upon detecting a potential incident, our response includes:

• Immediate containment — isolating affected systems to prevent further exposure
• Investigation — determining the scope, cause, and data affected
• Remediation — patching the vulnerability and restoring secure operations
• Post-incident review — documenting findings and implementing process improvements

Breach Notification

In the event of a confirmed data breach involving personal data, we will:

• Notify affected users by email as soon as reasonably practicable, no later than required by applicable law (typically 72 hours for GDPR-covered data, 30 days under most US state laws)
• Notify relevant regulatory authorities where required
• Provide details on what data was affected, what we are doing to address it, and what steps affected users should take
• Where a breach involves financial documents or offer data, notify both the listing agent and, where practicable, the affected buyer agents

Responsible Disclosure

We welcome reports from security researchers who discover vulnerabilities in our platform. Please report findings to support@rltrsync.com with "Vulnerability Report" in the subject line. We commit to acknowledging reports within 5 business days and working in good faith to address confirmed vulnerabilities promptly. We ask that you do not publicly disclose vulnerabilities until we have had a reasonable opportunity to remediate them.

12. Employee & Contractor Responsibilities

All RLTRsync employees and contractors with access to customer data or company systems are required to:

• Complete security awareness training upon onboarding and annually thereafter
• Use strong, unique passwords and MFA on all work accounts
• Never share credentials or access tokens with others
• Access customer data — including offer documents and financial materials — only for legitimate business purposes, never for personal use
• Report suspected security incidents or policy violations immediately to leadership
• Use approved devices and secure networks when accessing production systems; public Wi-Fi is prohibited without VPN
• Return or destroy all company data and access credentials upon separation
• Comply with this policy and all applicable privacy laws

Violations of this policy may result in disciplinary action up to and including termination, and may be reported to relevant authorities where required by law.

13. User Responsibilities

Agents and other users of the RLTRsync platform are responsible for:

• Keeping account credentials confidential and not sharing login access
• Using strong passwords and enabling MFA where available
• Notifying us immediately at support@rltrsync.com if they suspect unauthorized access to their account
• Ensuring that any devices used to access the platform are reasonably secured
• Handling downloaded offer documents and financial materials securely outside of our platform — including using encrypted storage and limiting access to authorized parties
• Complying with all applicable laws when collecting visitor data through open house tools and when collecting offer submissions and financial documents
• Not attempting to probe, test, or exploit vulnerabilities in the platform without prior written authorization
• Not sharing offer intake links beyond their intended purpose or allowing unauthorized parties to access offer submissions

14. Policy Review & Updates

This policy is reviewed at least annually and updated as needed to reflect changes in our technology, operations, applicable law, or the threat landscape. Material changes will be communicated to users via email or a notice on our website. Continued use of the Service after an updated policy is posted constitutes acceptance of the revised terms.

The most current version of this policy is always available at rltrsync.com/security.