Our Approach
Compliance isn't something we bolted on after the fact. From day one, we designed Lev with the understanding that commercial real estate professionals handle sensitive financial data, proprietary deal information, and confidential lender relationships. The stakes are too high for anything less than rigorous, independently-verified security.
That's why we chose to pursue SOC 2 Type II certification—not the easier Type I that only proves controls exist at a single point in time, but Type II, which proves they work consistently over months of operation. It's the difference between saying you have a security policy and proving you actually follow it.
We also test quarterly, not annually. Most companies run penetration tests once a year to check a compliance box. We run them every quarter because the threat landscape changes constantly, and your deal data deserves protection that keeps pace.
SOC 2 is the gold standard for demonstrating that a SaaS company has rigorous security practices. Developed by the American Institute of CPAs, it requires companies to prove they've implemented specific controls across security, availability, processing integrity, confidentiality, and privacy.
But there's an important distinction most people miss: Type I vs. Type II. A Type I audit is a snapshot—it verifies that controls exist at a specific moment. Type II is far more rigorous. An independent auditor examines our systems over a 6-12 month period, verifying that security controls don't just exist on paper, but are consistently followed in practice.
When you see that we're SOC 2 Type II certified, it means a CPA firm has verified that month after month, our security practices actually work. It's the difference between claiming you lock your doors and proving you've locked them every single night.
Trust Service Criteria
Our SOC 2 report covers three of the five Trust Service Criteria—the ones most relevant to protecting your deal data:
Control Categories
accessencryptioncontinuityincidentchange_mgmtvendor_riskPenetration testing is essentially hiring professional hackers to try to break into your systems before the bad actors do. Most companies do this annually—check a box, file the report, move on for another year. We think that's dangerously inadequate.
We test quarterly. Every three months, an independent security firm attempts to compromise our infrastructure, applications, and APIs using the same techniques real attackers would use. When they find vulnerabilities—and good testers always find something—we fix them immediately, not eleven months later.
The cybersecurity landscape changes constantly. New vulnerabilities are discovered weekly. Annual testing means your security posture is only verified once, then potentially drifts for months. Quarterly testing means we catch issues while they're fresh and remediate before they become exploitable problems.
Testing Details
vendorfrequencymethodologyscopeTesting Scope
networkweb_appsapiauthLatest Results
$ penti scan --env production --quarter Q2-2025
$ penti list --verified
✓ XSS ✓ SQLi ✓ IDOR ✓ SSRF ✓ SSTI ✓ XXE ✓ LFI ✓ Redirect ✓ DepConf ✓ Crypto
Vectors Tested
✓ xss✓ sqli✓ idor✓ ssrf✓ ssti✓ xxe✓ lfi✓ redirect✓ dep_conf✓ cryptoRemediation Timeline
Finding vulnerabilities is the point—it means the testing is working. What matters is what happens next. Every finding is triaged immediately based on severity:
Privacy regulations exist because people deserve control over their personal data. We built Lev with this principle at its core—not because regulators required it, but because we believe it's the right way to handle sensitive information.
Our platform processes deal data, lender communications, and professional relationships. This is information you've spent years cultivating, and it should remain under your control. Privacy compliance isn't just about checking regulatory boxes—it's about honoring the trust you place in us.