Compliance
Compliance

Compliance

When you're managing billions in commercial real estate transactions, "we take security seriously" isn't enough. You need proof. That's why we've built a compliance program designed to be verified, audited, and tested continuously—not just documented.

SOC 2 Logo
AICPA Logo
AWS Logo
overviewsoc2pentestprivacy

Our Approach

Compliance isn't something we bolted on after the fact. From day one, we designed Lev with the understanding that commercial real estate professionals handle sensitive financial data, proprietary deal information, and confidential lender relationships. The stakes are too high for anything less than rigorous, independently-verified security.

That's why we chose to pursue SOC 2 Type II certification—not the easier Type I that only proves controls exist at a single point in time, but Type II, which proves they work consistently over months of operation. It's the difference between saying you have a security policy and proving you actually follow it.

We also test quarterly, not annually. Most companies run penetration tests once a year to check a compliance box. We run them every quarter because the threat landscape changes constantly, and your deal data deserves protection that keeps pace.

pentests/year
12+
months_coverage
24/7
monitoring

SOC 2 Type II

CERTIFIED

SOC 2 is the gold standard for demonstrating that a SaaS company has rigorous security practices. Developed by the American Institute of CPAs, it requires companies to prove they've implemented specific controls across security, availability, processing integrity, confidentiality, and privacy.

But there's an important distinction most people miss: Type I vs. Type II. A Type I audit is a snapshot—it verifies that controls exist at a specific moment. Type II is far more rigorous. An independent auditor examines our systems over a 6-12 month period, verifying that security controls don't just exist on paper, but are consistently followed in practice.

When you see that we're SOC 2 Type II certified, it means a CPA firm has verified that month after month, our security practices actually work. It's the difference between claiming you lock your doors and proving you've locked them every single night.

Overview

audit_type
Type II (Operating Effectiveness)
frequency
Annual
auditor
Independent third-party CPA firm
standard
AICPA Trust Services Criteria

trust_service_criteria

Our SOC 2 report covers three of the five Trust Service Criteria—the ones most relevant to protecting your deal data:

security
Protection against unauthorized access. This includes everything from network firewalls to employee background checks— ensuring only authorized people and systems can access your data.
availability
The system is available when you need it. When you're closing a deal, downtime isn't an option. Our infrastructure is designed for resilience with redundancy at every layer.
confidentiality
Your sensitive data stays confidential. Deal terms, lender relationships, and financial details are protected through encryption, access controls, and strict data handling procedures.

control_categories

During the audit period, the auditor examines evidence that these controls are being followed consistently:

Access controls & identity management
Data encryption at rest & in transit
Business continuity planning
Incident response procedures
Change management processes
Vendor risk management

Penetration Testing

QUARTERLY

Penetration testing is essentially hiring professional hackers to try to break into your systems before the bad actors do. Most companies do this annually—check a box, file the report, move on for another year. We think that's dangerously inadequate.

We test quarterly. Every three months, an independent security firm attempts to compromise our infrastructure, applications, and APIs using the same techniques real attackers would use. When they find vulnerabilities—and good testers always find something—we fix them immediately, not eleven months later.

The cybersecurity landscape changes constantly. New vulnerabilities are discovered weekly. Annual testing means your security posture is only verified once, then potentially drifts for months. Quarterly testing means we catch issues while they're fresh and remediate before they become exploitable problems.

testing_scope

Our testers don't just run automated scans. They perform comprehensive manual testing using established methodologies (OWASP for web apps, PTES for infrastructure) that mirror how sophisticated attackers actually operate.

External network infrastructure
Web applications
API endpoints
Authentication systems

remediation_timeline

Finding vulnerabilities is the point—it means the testing is working. What matters is what happens next. Every finding is triaged immediately based on severity:

critical
Addressed within 24-48h. All hands on deck until resolved.
high
Remediated within 7 days. Root cause analysis completed.
medium
Scheduled for next sprint. Tracked until closed.
low
Added to backlog. Addressed during regular maintenance.

Privacy Compliance

Privacy regulations exist because people deserve control over their personal data. We built Lev with this principle at its core—not because regulators required it, but because we believe it's the right way to handle sensitive information.

Our platform processes deal data, lender communications, and professional relationships. This is information you've spent years cultivating, and it should remain under your control. Privacy compliance isn't just about checking regulatory boxes—it's about honoring the trust you place in us.

CCPA

COMPLIANTCalifornia Consumer Privacy Act

CCPA gives California residents specific rights over their personal data—rights we extend to all our users regardless of where they're located. These aren't just legal requirements; they're commitments about how we believe data should be handled.

your_rights

access
Know what we collect. You can request a copy of all personal information we've collected about you and how it's been used.
deletion
Request deletion. If you want your personal information removed from our systems, you can request deletion and we'll comply.
opt_out
Control data sharing. We don't sell personal information, but you have the right to opt-out of any sharing regardless.
equal_service
No penalty for privacy. Exercising your privacy rights will never affect the quality of service you receive.

privacy_philosophy

We believe privacy and functionality aren't at odds. You can have a powerful deal management platform that processes your communications intelligently—without sacrificing control over your data. That's why we built Lev with no human access to your email data, strict isolation between client accounts, and transparent data practices. Your data belongs to you, period.