Security & trust

How we handle your tenant data.

The honest version. What we do, what we don't do, who we share it with, and what we'll never do under any circumstance. Designed to be sent to your legal counsel before you sign up — not after.

Encrypted in transit + at rest

Every page is TLS 1.2+ in transit. Database is encrypted at rest. Backups encrypted.

Per-operator data isolation

Every database lookup is scoped to your owner_id. Cross-operator queries are blocked at the SQL layer, not by application logic.

Audit log every action

Every agent action and every API call is logged with timestamp, operator, and the data accessed. Downloadable.

Data stays in the US

Hosted on Railway US-West. Backups in same region. We don't replicate to overseas datacenters.

What we commit to.

Encryption. TLS 1.2+ in transit. AES-256 at rest. Stripe handles all card data — we never see or store payment information.
Tenant-scoped data isolation. Every query in our system scopes by owner_id at the database layer. A bug in one tenant's session cannot leak data to another.
Audit logging. Every action by the agent or operator is logged with user, timestamp, action type, and affected records. Exportable as JSON anytime.
Breach notification within 72 hours. If we discover unauthorized access to your data, you'll get a written notice and a phone call within 72 hours, regardless of the GDPR or US state law that applies to your tenants.
Data export anytime. Pull a full JSON snapshot of your account from /me/export/all while you're a customer. Same endpoint works after you cancel, until you formally request deletion.
30-day deletion on cancellation. Cancel your account → we keep your data 30 days for accidental-cancellation recovery → after 30 days it's purged from primary DB. Backups age out at 90 days.
Tenant inbox confidentiality. Tenant emails are processed for the agent's reply only. They are not used as training data, not aggregated across operators, not shared with vendors.

What we will never do.

Sell or share your data with marketers. Ever. Your tenant list is yours. We do not have a partnership with a "marketing data broker" — this is not a recurring revenue stream we have or will ever build.
Train AI models on your tenant data. Anthropic's commercial API (which powers the agent) does not train on customer data by default. We confirm this in writing in our DPA. We do not run a separate "fine-tune Summit's model on customer data" pipeline.
Cross-operator data leakage. The agent cannot see another operator's data, ever. This is enforced at the SQL layer, not application logic. Even the agent's tool calls require an owner_id parameter — calls without it return empty.
Surprise data retention. 30 days from cancellation, your data is gone. We won't keep a "shadow copy for support purposes" or "analytics archive."
Mandatory enterprise-tier-only security features. Audit logs, data export, breach notification, encryption — every tier gets these. Security is not a Pro/Enterprise feature.

Subprocessors

These are the third-party services that process some part of your tenant data on Summit's behalf. Each has been chosen for their security posture and DPA terms.

Subprocessor

Purpose

Location

Railway

Application hosting, Postgres database, backups

US-West

Anthropic

Claude API for agent reasoning and reply drafting

Stripe

Subscription billing, Connect for tenant rent collection

SendGrid (Twilio)

Inbound email parser, outbound transactional email

Twilio

SMS (only when SMS scope is enabled by the operator)

Cloudflare

DNS, DDoS protection, CDN for static assets

Global edge

A change to this list is a material change to our DPA. We'll email every active customer at least 30 days before a new subprocessor goes into production.

Certifications & scope.

SOC 2 audit is on the 2026 roadmap. Until then, the controls above are real and auditable — Anthropic-grade infrastructure, encryption at rest, AES-256 for tokens, ARN-scoped IAM, and a publicly-posted DPA. If your procurement team requires SOC 2 certification today, email us and we'll align with your timeline.

Summit is built for residential and small-commercial property management — not for protected health information. We're not HIPAA-aligned and don't plan to be; tenant data isn't health data.

The Data Processing Agreement is publicly posted and operator-drafted. Operators who run it past their own counsel can record the attestation in their dashboard — once recorded, a "Counsel-reviewed by ___" badge appears so enterprise prospects can verify.

Have a question for legal counsel?

Send us the question and your counsel's contact info — we reply within the same business day, in writing, and we don't pretend we know things we don't.

Email security@summit