Security is a top priority for us. Learn about the
measures we take to protect your data.
Our founding team has 10+ years of experience building secure web applications for local, state and federal agencies, as well as over a decade of experience building consumer grade services for millions of end users.
Each transaction that is facilitated on RealCrowd involves large sums of money. Both investors and real estate sponsors on our platform depend on us to keep their sensitive information safe. We take that responsibility seriously and provide bank-grade security. (Warning: This does get technical.)
The RealCrowd Platform is built with a focus on security, availability, and scalability. We utilize a number of products and cloud-based services to ensure your data is secure and readily available at all times. See the diagram below for an overview of our system architecture.
Your connection to RealCrowd is always encrypted with Transport Layer Security (TLS) or Secure Socket Layer (SSL), depending on your web browser’s capabilities. We also employ an Extended Validation Certificate so that you can trust you are genuinely connected to RealCrowd, Inc. Look for the green bar in your web browser.
Any and all network communication between our systems is TLS encrypted, even within the same local network. Access to our databases, distributed cache, data stores, queues, and all other internal services are encrypted.
Sensitive data is also encrypted when it is stored on disk. We follow best practices taken from the credit card processing industry, including:
RealCrowd applications and data are physically located in multiple secure data centers. We utilize Windows Azure and Amazon Web Services for our hosting. Both environments are compliant with numerous security certifications, including SOC 1/SSAE 16/ISAE 3402 (formerly SAS70).
Full details can be found on their respective compliance websites:
You may have noticed it takes a few seconds to login to your RealCrowd account. This is intentional and reflects the underlying security measures we take to protect your password.
Account passwords are hashed using the PBKDF2 algorithm with a 256 bit salt, 256 bit key length, and at least 10,000 iterations. Our security system enables us to update password hashing algorithms on a per-user basis over time. This allows us to continually upgrade the security of individual passwords as processing speeds increase. When checking to see if your password is valid we use a constant time algorithm to eliminate potential timing attacks.
Documents in the portfolio are often tax or other legal documents and contain sensitive information. In addition, sensitive information can be entered into the site by a sponsor or investor. This data is stored and encrypted in the data store described under the “Encryption” section.
Our application also integrates with HelloSign in order to provide eSignature capabilities in a legally binding, compliant and secure manner. You can read more on their security page
All data is stored with at least triple redundancy. In order to provide maximum availability it is replicated not only across multiple physical servers, but across multiple power circuits and at least one geographically separate data center.
Offsite backups are performed once every 24 hours to a secure location. Data restoration is tested on a regular basis in our QA environment, which is a replica of the production environment.