Replicost handles sensitive property data, valuation work product, and litigation-related artifacts. Here's how we protect it — and what we're still working on.
TLS 1.3 for all client traffic. Internal service-to-service traffic uses mTLS.
AES-256 on all stored data — production database, object storage, and backups.
Least-privilege roles for every employee. SSO support (SAML/OIDC) on Enterprise.
Every read, write, and admin action is logged and exportable. Workfile-relevant access trails are kept indefinitely.
Continuous dependency scanning, penetration tests at least annually, bug-bounty program for security researchers.
Point-in-time backups, geo-redundant. Documented recovery time and recovery point objectives.
Independent attestations take time. Here's where we are in the queue.
Type I attestation expected later this year, Type II to follow with a full observation window. We are not yet SOC 2 certified. We will say so plainly until we are.
Targeted for the year following SOC 2 Type II. The two attestations share enough overlap that they're practical to sequence.
Security researchers, responsible disclosures, and customer security reviewers — please email security@replicost.com. We respond to all reports within two business days and operate a coordinated-disclosure program.
Enterprise prospects: ask us for the security questionnaire, sub-processor list, and DPA. We will not pretend to attestations we don't hold.