Trust & Security
Built for the security-conscious property manager.
Varden powers payments, leasing, and tenant communications for landlords managing real homes and real money. Below is a candid view of our compliance posture, the controls we operate today, and the sub-processors who touch your data.
Compliance status
Where we are, what we are working toward, and the dates we are committing to.
SOC 2 Type II
In progress- Auditor
- TBD
- Target completion
- Q4 2026
- Last reviewed
- April 2026
ISO 27001
Planned- Roadmap target
- 2027
- Maps to
- SOC 2 controls
- Status
- Gap analysis pending
GDPR / CCPA
Active- DPA
- /dpa (download)
- Sub-processor list
- See below
- Data residency
- US (primary)
PCI DSS SAQ-A
Active- Validation
- SAQ-A v4.0
- CDE scope
- None — Stripe Elements
- Re-attested
- Annually
CIS Controls IG1
Active- Standard
- CIS v8.1 IG1
- Coverage
- 51 / 56 sub-controls
- Self-attested
- Annually
Controls we operate
Each control maps to one or more SOC 2 Common Criteria. Evidence is collected automatically wherever possible and reviewed by our security team.
Identity & Access
Single sign-on for staff, MFA enforced, role-based access scoped to least privilege.
Data encryption
AES-256 at rest, TLS 1.2+ in transit. Card data is tokenized through Stripe and never touches our servers.
Read security policyBackup & DR
Automated Firestore backups with point-in-time recovery, multi-region storage, 4-hour RTO.
Audit logging
Application audit trails retained 1 year. Stripe + Firebase platform logs retained 90+ days.
Vendor management
All sub-processors reviewed before onboarding. Annual recertification.
Incident response
Documented runbook, on-call rotation, customer notification within 72 hours of confirmed breach.
Vulnerability management
Dependabot + automated SAST in CI. Quarterly third-party penetration tests once SOC 2 lands.
Change management
All production changes go through PR review and pass automated tests. Branch protection on every default branch.
Sub-processors
The third parties Varden relies on to operate the platform. Customers are notified 30 days in advance of any addition or material change.
Firebase (Google Cloud)
United StatesAuthentication, Firestore database, Cloud Storage, Cloud Functions
Account credentials, Lease and property records, Document storage
Stripe
United StatesPayment processing, identity verification, payouts (Stripe Connect)
Card tokens, Bank accounts, Identity verification documents
Vercel
Global edgeApplication hosting and edge delivery
Request logs (no payload PII), IP addresses (transient)
Brevo
European UnionTransactional email and SMS delivery
Email address, Phone number, Message bodies
Plaid
United StatesBank account verification for ACH payments
Bank account routing numbers (tokenized), Account holder name
RentCast
United StatesRent comparable and property pricing data
Property addresses (no tenant PII)
OpenAI
United StatesDocument analysis and drafting (Assistants API)
Document content (PII redacted before submission)
Anthropic
United StatesAI features powered by Claude
Document content (PII redacted before submission)
Sentry
United StatesError monitoring and performance traces
Stack traces, Request metadata (PII scrubbed)
Twilio
United StatesVoice calls (auto-dialer, voicemail) for support and dispatch
Phone number, Call recordings (when explicitly consented)
Lob
United StatesPhysical mail delivery and certified mail (legal notices, address verification)
Recipient name, Mailing address, Letter contents (legal notices)
GrowthBook
United StatesFeature flag evaluation and A/B test assignment
User ID (hashed), Feature flag evaluation events, IP address (transient)
PostHog
United StatesProduct analytics, session replay, and behavioral event capture
User ID, Page views and click events, Device + browser metadata, IP address (truncated)
Google Gemini (Google Cloud)
United StatesLease and document extraction, structured field parsing
Lease document content (PII redacted before submission), Document metadata
ElevenLabs
United StatesVoice AI synthesis and speech generation for tenant support
Text inputs for synthesis (no tenant PII), Generated audio output
Mapbox
United StatesProperty geocoding, mapping tiles, and location visualizations
Property addresses, Latitude/longitude, IP address (transient)
Cloudflare
Global edgeBot management, DDoS mitigation, WAF, and edge CDN
IP address, Request headers and metadata, TLS handshake data
| Vendor | Purpose | Data | Region |
|---|---|---|---|
| Firebase (Google Cloud) | Authentication, Firestore database, Cloud Storage, Cloud Functions | Account credentials, Lease and property records, Document storage | United States |
| Stripe | Payment processing, identity verification, payouts (Stripe Connect) | Card tokens, Bank accounts, Identity verification documents | United States |
| Vercel | Application hosting and edge delivery | Request logs (no payload PII), IP addresses (transient) | Global edge |
| Brevo | Transactional email and SMS delivery | Email address, Phone number, Message bodies | European Union |
| Plaid | Bank account verification for ACH payments | Bank account routing numbers (tokenized), Account holder name | United States |
| RentCast | Rent comparable and property pricing data | Property addresses (no tenant PII) | United States |
| OpenAI | Document analysis and drafting (Assistants API) | Document content (PII redacted before submission) | United States |
| Anthropic | AI features powered by Claude | Document content (PII redacted before submission) | United States |
| Sentry | Error monitoring and performance traces | Stack traces, Request metadata (PII scrubbed) | United States |
| Twilio | Voice calls (auto-dialer, voicemail) for support and dispatch | Phone number, Call recordings (when explicitly consented) | United States |
| Lob | Physical mail delivery and certified mail (legal notices, address verification) | Recipient name, Mailing address, Letter contents (legal notices) | United States |
| GrowthBook | Feature flag evaluation and A/B test assignment | User ID (hashed), Feature flag evaluation events, IP address (transient) | United States |
| PostHog | Product analytics, session replay, and behavioral event capture | User ID, Page views and click events, Device + browser metadata, IP address (truncated) | United States |
| Google Gemini (Google Cloud) | Lease and document extraction, structured field parsing | Lease document content (PII redacted before submission), Document metadata | United States |
| ElevenLabs | Voice AI synthesis and speech generation for tenant support | Text inputs for synthesis (no tenant PII), Generated audio output | United States |
| Mapbox | Property geocoding, mapping tiles, and location visualizations | Property addresses, Latitude/longitude, IP address (transient) | United States |
| Cloudflare | Bot management, DDoS mitigation, WAF, and edge CDN | IP address, Request headers and metadata, TLS handshake data | Global edge |
Live status & uptime
We publish a real status page — check it before you sign with us. Incidents, degraded performance, and scheduled maintenance are reported there in real time.
status.vardenhomes.comNote: the status page is being migrated to OpenStatus. Until then it may show a placeholder.
Incident response
Confirmed incidents trigger a runbook with on-call paging. Affected customers are notified within 72 hours, with regulatory notifications filed where required. We publish a post-mortem for any user-impacting incident lasting longer than 30 minutes.
Report a vulnerabilityNeed our DPA, policy pack, or audit reports?
Email security@vardenhomes.com and we will respond within one business day. Or request a document directly through our resources page.
Last updated 2026-04-25.