Security & Compliance

Last updated: May 28, 2026

Your data is the lifeblood of your business. We treat it like ours — because we run our own $858M COP receivables portfolio on the same platform. Here's exactly how we protect it.

Certifications & standards

🔒

PCI DSS SAQ-A via Stripe Live

🌐

GDPR EU compliant Live

🇺🇸

CCPA California compliant Live

🛡

SOC 2 Type II Q4 2026 target In progress

✅

ESIGN / UETA E-signatures Live

🧮

Microsoft AI Cloud Partner ISV Success Enrolled

Infrastructure

RentingOS runs on Microsoft Azure (East US 2 region) with the following defense-in-depth controls:

Azure App Service with managed TLS 1.3, auto-patching, DDoS protection
Azure Database for PostgreSQL Flexible Server with high-availability replicas, automated daily backups, 30-day point-in-time restore
Azure Blob Storage for file uploads with geo-redundant replication
Azure Key Vault for secrets management (no plaintext credentials in code or environment)
Azure Front Door / CDN for global edge caching + WAF protection

Encryption

In transit

TLS 1.3 enforced on all endpoints (TLS 1.2+ minimum)
HSTS preload for app.rentingos.com and api.rentingos.com
Strict CSP headers, X-Frame-Options, X-Content-Type-Options

At rest

AES-256 encryption for database storage (Azure-managed keys)
Customer file uploads encrypted at rest in Blob Storage
Backup snapshots encrypted with separate KMS keys

Payments & PCI compliance

RentingOS never stores or processes raw credit card numbers. All payment data is tokenized by Stripe before reaching our servers (PCI DSS SAQ-A scope). What this means:

Card numbers, CVVs, full track data — never touch our infrastructure
We see only the last 4 digits, brand, and expiry (for receipts)
Stripe is Level 1 PCI DSS certified (highest tier)
Compliance posture: stripe.com/security

Access control

Multi-tenant isolation — every query is scoped by tenant_id at the ORM layer; tested via automated tests on every deploy
Role-based access control (RBAC) — OWNER, ADMIN, MEMBER, VIEWER per workspace
Microsoft Entra ID SSO — available for Professional + Enterprise (OAuth 2.0 / OIDC)
2FA — TOTP-based, optional on Starter, enforced on Enterprise
Audit log — every create/update/delete recorded with actor + timestamp + IP, retained 12 months
Session expiry — 30 days idle, 90 days hard limit

Application security

Dependency scanning on every commit (Dependabot + Snyk)
Static analysis (CodeQL) gating merge to main
SQL injection protection via parameterized queries (Prisma ORM)
CSRF tokens on all state-changing endpoints
Rate limiting on auth + API endpoints (100 req/min/IP default)
Webhook signatures verified for all incoming Stripe events

Backups & disaster recovery

Database: automated daily snapshots, 30-day retention, 35-day PITR
Files: geo-redundant replication (East US 2 ↔ West US 2)
RTO target: 4 hours
RPO target: 1 hour
Quarterly DR drill with restore-from-backup verification

Data retention & deletion

Active customer data: retained while subscription is active
Cancelled accounts: 30-day grace period for export, then permanent deletion
Financial records: retained 7 years per US tax requirements (read-only after cancellation)
Backups: rotated out within 35 days of source deletion
Self-service export: GDPR Article 20 portability via account settings

Incident response

If a security incident affects your data, we commit to:

Initial notification within 72 hours of confirmed breach (GDPR Article 33 standard)
Direct email to account owner + status page update at status.rentingos.com
Post-incident report within 14 days describing root cause, impact, remediation
Regulatory notifications as required (DPAs, state AGs, CCPA, etc.)

Responsible disclosure

Found a vulnerability? We want to know. Email security@rentingos.com with:

Steps to reproduce
Affected endpoint or feature
Your contact info for follow-up

We commit to: acknowledge within 48h, triage within 5 business days, patch critical issues within 14 days. We don't run a paid bounty yet (we're early-stage) but we'll publicly credit researchers and ship swag.

Sub-processors

We use the following vetted third parties to deliver the Service:

Microsoft Azure — hosting, compute, storage, database
Stripe, Inc. — payments, billing, tax
Brevo (Sendinblue) — transactional email
Anthropic, PBC — Claude AI Copilot
Plaid, Inc. — bank account verification (US customers, optional)
Intuit (QuickBooks Online) — accounting sync (when enabled by customer)

Full list with regions and DPA links: request from legal@rentingos.com.

Contact

Security questions: security@rentingos.com
Privacy / DPO: privacy@rentingos.com
Legal: legal@rentingos.com