HappyCo, a proptech firm that focuses on multifamily operations, announced that it recently completed an SOC 2 type II certification by a third-party auditor. The certification indicates successful implementation of controls to ensure greater protection of customer data.
This is an example of something that should be practiced more widely in CRE.
As Microsoft explains, "System and Organization Controls (SOC) for Service Organizations are internal control reports created by the American Institute of Certified Public Accountants (AICPA). They're intended to examine services provided by a service organization so that end users can assess and address the risk associated with an outsourced service."
This is specifically a rating for service providers who will be handling sensitive data for their clients. An SOC 2 type I certification means that the provider was checked at a single point of time. A type II means that compliance has to be measured and demonstrated over a period of months and is considered the stronger form as it shows the ability to sustain proper efforts.
Not that a certification means that a provider is immune to having data stolen or from mishandling it. However, the effort to maintain the required types of processes is significant and means a compliant company is far more likely to keep things safe than if it hadn't put the effort in.
Any company that achieves this level of compliance will be able to send a copy of its SOC 2 report to anyone considering using them as a vendor.
Security is becoming an increasing topic of interest in CRE. The National Multifamily Housing Council (NMHC) has said that it wants a federal privacy standard. That would set an outside standard that might likely have a safe harbor provision that a CRE firm meeting specific requirements would be immune from certain types of lawsuits in case of a breach.
Fannie Mae just launched its single-family disclosures that "are designed to respond to investor feedback and aim to provide single-family MBS investors with insights into socially oriented lending activities while helping to preserve the confidentiality of mortgage consumers' personal information."
An SOC 2 compliance rating would be something that a CRE firm might seek in a service provider that would be handling its sensitive data. In turn, that could provide a greater level of assurance to consumers and companies renting space from the provider,
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to asset-and-logo-licensing@alm.com. For more information visit Asset & Logo Licensing.
