1.Overview
ModMage is a multi-tenant property-management platform that holds some of the most sensitive information a business and its residents generate: rent payments and payout details, signed leases, resident and applicant records, maintenance histories, and the day-to-day communications between owners, managers, and tenants. Protecting that information is not a feature we add on top — it is foundational to how the product is designed, built, and operated.
Our security program is built around defense in depth and the principle of least privilege. We combine strong encryption, hardened cloud infrastructure, strict access controls, continuous monitoring, and a mature software-development lifecycle so that no single control is a single point of failure. This page describes the technical and organizational measures we use across the ModMage web app, the ModMage iOS app, and the Android app.
Security is a living program, not a checkbox. We continually review and improve these controls, and we may update this page as our practices evolve. For how we handle personal data, see our Privacy Policy; for our contractual data-protection commitments, see the Data Processing Addendum.
2.Compliance and certifications
ModMage maintains a SOC 2 Type II attestation, independently audited by a qualified third-party assessor against the Trust Services Criteria for security, availability, and confidentiality. A Type II report evaluates not just whether our controls are designed correctly but whether they operated effectively over an extended observation period.
- Our current SOC 2 Type II report is available to Enterprise customers and qualified prospects under a mutual non-disclosure agreement. Contact security@modmage.io or your account team to request it.
- We align our practices with widely recognized industry frameworks, including the principles behind ISO/IEC 27001 and the CIS Critical Security Controls, and we map our controls to these frameworks as part of our internal governance.
- For customers subject to GDPR, UK GDPR, or US state privacy laws, our Data Processing Addendum sets out our role as a processor, our sub-processor commitments, and the technical and organizational measures we apply to personal data.
Compliance scope and report availability may change over time. The authoritative description of any given report’s coverage is the report itself, which we provide on request.
3.Encryption
We encrypt customer data both while it moves across networks and while it sits at rest in our systems.
- In transit: all connections to ModMage — from browsers, the mobile apps, and our public APIs — are encrypted using TLS 1.2 or higher with modern cipher suites. We enforce HTTPS, use HSTS to prevent protocol downgrade, and redirect insecure requests.
- At rest: data stored in our databases, object storage, and backups is encrypted using AES-256. Encryption keys are managed through our cloud provider’s key-management service with controlled access and regular rotation.
- Sensitive secrets and credentials are stored in a dedicated secrets manager rather than in source code or configuration files, and are never written to application logs.
4.Infrastructure
ModMage runs on the infrastructure of a leading public cloud provider whose data centers carry their own independent security certifications and physical-security controls. We do not operate our own data centers.
- Logical multi-tenant isolation: ModMage is a multi-tenant service, and each workspace’s data is logically segregated so that one customer can never access another customer’s records. Tenant scoping is enforced consistently at the application and data layers and is covered by automated tests.
- Network segmentation: production systems are isolated in private networks with tightly scoped security groups and firewall rules. Databases and internal services are not reachable from the public internet, and administrative access is restricted to controlled paths.
- Hardened configurations: we build on hardened base images, disable unnecessary services and ports, and manage infrastructure as code so that configurations are reviewed, versioned, and reproducible. Production and non-production environments are kept separate.
5.Access control
Access to systems and data follows the principle of least privilege: people and services receive only the access they need to do their jobs, and nothing more.
- Role-based permissions: within ModMage, customer administrators assign roles that determine what each user can see and do, so property managers, owners, staff, and residents each get an appropriate level of access.
- SSO and provisioning: Enterprise customers can enable single sign-on via SAML and automate user lifecycle management with SCIM, so accounts are created, updated, and deactivated in step with the customer’s identity provider.
- Multi-factor authentication: we support MFA for account access and strongly recommend that every user enable it. Internal access to ModMage systems requires MFA.
- Just-in-time administrative access: ModMage personnel do not hold standing access to production. Elevated access is granted just in time, scoped to a task, time-limited, and logged, and is revoked promptly when no longer needed. Access rights are reviewed periodically.
6.Application security
Security is built into how we write and ship software, not bolted on afterward.
- Secure SDLC: our development lifecycle incorporates threat modeling for significant features, secure coding standards, and security review as a normal part of building and releasing changes.
- Mandatory code review: every change to production code is reviewed by at least one other engineer before it is merged, and automated checks run on every pull request.
- Automated scanning: we continuously scan our dependencies and container images for known vulnerabilities and use static analysis to catch common classes of security defects early. High-severity findings are tracked and remediated on defined timelines.
- Penetration testing: we engage qualified independent firms to perform regular third-party penetration tests of the application and infrastructure, and we remediate findings according to their severity. A summary of results is available to Enterprise customers under NDA.
For the rules that govern how the platform may be used, see our Acceptable Use Policy.
7.Payments security
ModMage supports online rent collection and payouts, which means we take the handling of financial data seriously.
- Card and bank-account data is processed by established, PCI-DSS-compliant payment processors. Sensitive payment credentials are tokenized and handled by the processor’s secure systems.
- ModMage is designed to minimize its contact with raw card data: we do not store full card numbers on our systems, and payment information is collected directly through the processor’s secure components wherever possible.
- Bank and payout details used for transferring rent to owners are protected with the same encryption and access controls as the rest of the platform.
8.Monitoring and logging
We maintain broad visibility into what happens across our systems so we can detect and respond to problems quickly.
- Centralized logging: application, infrastructure, and security events are collected into centralized, access-controlled logging systems with defined retention periods. Logs are protected against tampering.
- Anomaly detection: automated rules and alerting flag unusual patterns — such as anomalous authentication activity, configuration changes, or error spikes — for investigation.
- 24/7 monitoring and alerting: our systems are monitored around the clock, with on-call engineers who are paged when alerts fire so that potential incidents are triaged without delay.
9.Resilience and backups
Property managers and residents rely on ModMage for time-sensitive tasks like collecting rent and dispatching maintenance, so we design for availability and durability.
- Uptime target: we target 99.99% availability for the core service, supported by redundant infrastructure and automated failover where appropriate.
- Encrypted backups: customer data is backed up on a regular schedule. Backups are encrypted, access-controlled, and periodically tested through restoration exercises so we know they actually work.
- Disaster recovery and business continuity: we maintain documented disaster-recovery and business-continuity plans with defined recovery objectives, and we review them on a recurring basis.
- Status transparency: current and historical service status, including incidents and maintenance windows, is published at status.modmage.io.
10.Incident response
Despite strong preventive controls, no system is immune to incidents, so we prepare for them. ModMage maintains a documented incident-response plan that defines roles, escalation paths, and the steps for detecting, containing, investigating, and recovering from security events.
In the event of a security incident affecting customer data, we will investigate promptly, take action to contain and remediate the issue, and notify affected customers and, where applicable, regulators in a manner consistent with applicable law and our contractual commitments, including those in the Data Processing Addendum. We also conduct post-incident reviews to identify root causes and strengthen our controls.
11.Responsible disclosure
We value the work of the security research community and welcome reports of potential vulnerabilities in ModMage. If you believe you have found a security issue, please email security@modmage.io with enough detail for us to reproduce and validate the finding.
- Good-faith safe harbor: we will not pursue legal action against researchers who act in good faith, comply with this policy, and give us a reasonable opportunity to remediate before any public disclosure.
- Protect privacy: please do not access, modify, or delete data that does not belong to you. If you encounter another user’s personal data during testing, stop and report it instead of continuing.
- Avoid disruption: do not run tests that could degrade or disrupt the service, such as denial-of-service attacks, spam, or automated scanning that generates excessive load against production.
We aim to acknowledge legitimate reports promptly and to keep you informed as we work toward a fix.
12.Your role
Security is a shared responsibility. ModMage secures the platform and the infrastructure it runs on, but how you configure and use your workspace matters just as much. To keep your account and your residents’ data safe, we recommend that you:
- Use strong, unique passwords and a password manager, and never reuse credentials across services.
- Enable multi-factor authentication for every user with access to your workspace.
- Manage user access carefully — assign the least-privileged role each person needs, review access regularly, and promptly remove users who no longer need it.
- Keep your devices, browsers, and mobile apps up to date, and report anything suspicious to your administrator and to us.
For details on the personal data we process and the choices you have, please review our Privacy Policy.
13.Contact
For security questions, to request our compliance reports under NDA, or to report a vulnerability, reach our security team:
ModMage, Inc. — Security Team
Security: security@modmage.io
ModMage, Inc.2261 Market Street, Suite 4242
San Francisco, CA 94114
United States