Security

SOC 2 Type I — program in progress

Your deal files contain commercially sensitive data. We designed the infrastructure to minimize attack surface and give you visibility into how your data is handled.

Infrastructure controls

Encryption in transit and at rest

TLS 1.3 on all connections. Cloudflare Hyperdrive enforces TLS on the API → database path. Railway Postgres encrypts at rest using AES-256.

Cloudflare Workers runtime

API runs on Cloudflare Workers (isolate model). No persistent server processes. Every request gets a fresh isolate with no shared memory across tenants.

HttpOnly secure session cookies

Sessions are signed with HMAC, stored in HttpOnly, Secure, SameSite=Lax cookies. Tokens are never readable from JavaScript. Session records are database-backed for instant revocation.

Bot defense

Cloudflare Turnstile on all auth and API intake forms. Rate limiting on authentication endpoints.

Audit logging

Sensitive actions (export, share, deletion, billing) are recorded in the audit log with IP address and user agent. Log retention: 90 days.

Access model

You own your deal data

Deal files are scoped to your account. They are not readable by other users or used to train external AI models without your consent.

AI memo generation is user-initiated

AI memo generation uses the engine outputs you already computed. It does not scrape the web, call third-party property data APIs without your knowledge, or share your deal data with AI providers beyond what is needed for a single request.

Share links are read-only and revocable

Share links give recipients read-only report access. They can be revoked instantly from the Share tab on any deal.

SOC 2 program status

We are actively implementing the controls required for a SOC 2 Type I audit. The program covers Security, Availability, and Confidentiality trust service criteria. Expected assessment window: Q3 2026.

Current controls documentation, policy summaries, and a pre-assessment security questionnaire are available on request for due diligence purposes.

Compliance posture

Every report ships with the canonical disclaimers below. Each profile (investor memo, committee memo, lender package, agency readiness, lease abstract) selects the subset that applies. The text is the single source of truth — PDF, web, and AI memo all inherit from the same constants in packages/reporting/src/disclaimers.ts.

See also our NIST AI RMF mapping for how Govern / Map / Measure / Manage are operationalized.

disclaimer-canonical

This report is provided for informational and analytical purposes only. It does not constitute an appraisal, valuation certification, credit decision, lending commitment, agency approval, legal advice, tax advice, or investment advice. The user is responsible for verifying all assumptions, data sources, and document support. AI Underwriting is not a lender, broker-dealer, fiduciary, or licensed appraiser.

disclaimer-lender

This lender-facing format is provided for organization and diligence support. It does not represent that any lender, agency, servicer, investor, or committee has reviewed, accepted, or approved the deal.

disclaimer-agency

Agency-readiness checks are modeled against public or user-selected criteria. They are not Fannie Mae, Freddie Mac, HUD, FHA, lender, or servicer determinations and do not guarantee eligibility, proceeds, commitment, endorsement, or approval.

disclaimer-lease

Lease summaries are provided for diligence support. The executed lease and amendments control.

disclaimer-ai-memo

AI-generated narrative is a draft and may not reflect all material facts. Numeric values are bound to engine outputs; narrative interpretation is not advice. Review before external sharing.

disclaimer-avm-non-claim

Property valuation estimates are not Automated Valuation Models under 12 CFR 1026.42(i). They are not intended for use by mortgage originators or secondary-market issuers in determining the collateral value of a consumer principal dwelling.

disclaimer-uspap-non-claim

This analysis is not a USPAP-compliant appraisal. It is an investment-analysis tool. Engage a state-licensed or certified appraiser for appraisal purposes.

disclaimer-data-provenance

Property data provided in part by ATTOM Data, public records, SEC EDGAR, FRED, U.S. Census Bureau, and HMDA. Sources are cited per data field in the source-map appendix.

Contact

Security disclosures, vulnerability reports, and enterprise security reviews: security@aiunderwriting.net

We acknowledge receipt of security reports within one business day and aim to provide a remediation timeline within five business days.