Back to Pilot
Pilot // Trust & Security
Trust & Security

Your money and data, protected by design.

Pilot is a newer platform — and we know that trusting a young company with rent, leases, and tenant records deserves real scrutiny. So this isn't a wall of badges. It's a plain account of how your money and data are actually protected, grounded in how the product is built. Where we're still early, we say so.

Your money never sits with us

  • Rent is processed by Stripe and flows landlord-direct through Stripe Connect — Pilot never holds your rent balance.
  • We never see or store card numbers. Payment details go straight to Stripe, a PCI-DSS Level 1 certified processor.
  • Every Stripe webhook is signature-verified and processed exactly once (idempotent), so a payment can't be spoofed or double-applied.

Your data is fenced and encrypted

  • Row-Level Security is enforced on every table — tenants and landlords can only ever read or write their own rows.
  • Sensitive secrets (like two-factor seeds) are encrypted at rest with AES-256-GCM, and all traffic is encrypted in transit over TLS.
  • The privileged service-role key is server-only and never reaches the browser. Rate limits fail closed in production — if the limiter is unavailable, requests are denied, not waved through.

Accounts are hard to break into

  • Two-factor authentication (TOTP) is supported, and sensitive API actions are gated behind an MFA (AAL2) check plus a CSRF origin guard.
  • Destructive actions like account deletion require explicit confirmation and step-up re-authentication.
  • Every security-relevant event — logins, data exports, admin actions, payments — is written to an append-only audit log.

You stay in control of your data

  • Export everything you've put into Pilot at any time — a complete, machine-readable copy, on demand.
  • Delete your account and data whenever you want. No hostage-taking, no "call sales to cancel."
  • No lock-in is a feature, not a footnote: because we're a newer platform, we make leaving as easy as joining.

Screening that's built to be fair

  • Tenant screening runs an FCRA-aware adverse-action workflow: structured decline reasons and the required notice are generated and logged before any decline is finalized.
  • Protected-class fields are blocked at both the application layer and the database layer, and Pilot never makes an automated approve/deny — a person always decides.
  • Sensitive identifiers like SSNs are handled by the screening provider, not stored in Pilot.

What we don't claim — yet

Overstated security claims are exactly what should make you nervous about a vendor. So here's the honest edge of what we've built.

SOC 2
We are not SOC 2 certified today. Our controls — row-level security, encryption, least-privilege access, and audit logging — follow SOC 2 practices, and the formal audit is on our roadmap. We won't claim a badge we haven't earned.
Legal documents
Our policies are first drafts under counsel review, and we label them as drafts rather than pretend otherwise. You can read every one of them in the Legal Center.
Track record
We're early, and you shouldn't have to take our word for it. So we make the decision low-risk: a free trial, one-click data export, and one-click deletion. Start with a single property — or pilot a handful of units — and leave the moment Pilot stops earning its place.

Found a security issue?

We welcome responsible disclosure and respond quickly. Email us and we'll take it from there.

support@rentwithpilot.com

Try it on a single property.

Start free, export your data anytime, and decide for yourself. Read the Legal Center for our full policies.

Start free