CoTenancyIQ handles commercial lease data, financial information, and AI-generated legal correspondence. Security isn't a marketing checkbox here — it's the difference between a tool you can use and a tool you can't. This page describes exactly what we do, with no overclaiming.
Every piece of customer data is encrypted in transit and at rest. Lease documents, occupancy reports, financial details, and AI-generated correspondence all sit inside a managed PostgreSQL database with AES-256 encryption applied transparently by the database layer. Traffic between your browser and our servers uses TLS 1.3 through Netlify's edge network. There is no scenario in which your data travels unencrypted.
Inside the database, every operational table enforces row-level security — a PostgreSQL feature that filters every read and write against the authenticated user's identity. Even if our application code had a bug, the database itself would refuse to return another customer's data to your session. This is structural protection, not policy.
Authentication uses JWT (signed token) sessions issued by Supabase Auth. Tokens are scoped to a single user identity and verified on every authenticated request. Passwords are hashed using industry-standard algorithms; the platform never sees or stores them in plaintext. Password recovery links are time-limited and single-use.
Sign-in and sign-up endpoints are rate-limited per source IP to prevent brute-force credential attacks. The AI proxy and document parsing endpoints are rate-limited per authenticated user to protect against runaway usage and cost abuse.
CoTenancyIQ uses large language models from Anthropic to analyze lease documents, generate compliance briefings, and draft legal notices. Customer data sent to Anthropic is processed under their commercial terms and is not used to train AI models.
Every AI invocation is logged with the model used, the user identity, and a summary of the input — creating a complete audit trail of automated decisions. AI-generated legal notices are saved as drafts only; nothing is ever sent to a landlord without your explicit action. The platform never auto-sends, auto-files, or auto-commits any legally-binding output on your behalf.
Only data required for cotenancy analysis is sent to AI providers — lease documents for extraction, structured trade-area context for analysis. Authentication credentials, billing details, and unrelated data never transit AI providers.
CoTenancyIQ relies on three sub-processors to deliver the platform. Each is named below along with the data they process and their own compliance posture. We maintain this list in our internal vendor register and update it within 30 days of any change.
| Vendor | Purpose | Data accessed | Their certifications |
|---|---|---|---|
| Netlify | Application hosting, edge network, TLS termination | Encrypted request traffic (TLS terminated at edge) | SOC 2 Type 2, ISO 27001 |
| Supabase | Database, authentication, backups | All customer application data (encrypted at rest) | SOC 2 Type 2, HIPAA-ready |
| Anthropic | AI document analysis and text generation | Lease documents and trade-area context (not used for training) | SOC 2 Type 2, ISO 27001, ISO 42001 |
| Stripe | Payment processing | Billing information; card data never touches CoTenancyIQ infrastructure | PCI DSS Level 1, SOC 2, ISO 27001 |
CoTenancyIQ implements technical controls aligned with the following standards. Formal third-party attestation is on our roadmap; this list reflects what's implemented in code today, not what we plan to do.
SOC 2 Type 2 is an attestation that requires 6+ months of audited operational evidence. CoTenancyIQ's controls are in place today; the formal audit and observation period are scheduled work, not vapor. Enterprise customers requiring a SOC 2 report under NDA: contact us for our current status and timeline.
Your data belongs to you. The platform supports the following customer-controlled actions:
For GDPR, CCPA, and similar regimes, requests are queued through the same workflow. Privacy-related contact: privacy@cotenancyiq.com.
CoTenancyIQ maintains comprehensive audit logs, error logs, and security event logs. Health endpoints continuously verify platform availability. In the event of a confirmed security incident affecting customer data, we will:
Suspected security issues should be reported to security@cotenancyiq.com. We respond within one business day.
Enterprise customers, compliance reviewers, and security teams: reach out directly for our current SOC 2 status, our standard Data Processing Agreement, or to schedule a security review call.
Contact security team