// Trust & Security Report
CoreLogic, Inc. (operating as Cotality since March 2025)
Real estate property data, analytics, AI, and SaaS for real estate professionals, insurance, mortgage, and government. Key products: Matrix (MLS platform), OneHome (buyer portal), DASH/MICA/SettleAssist (insurance/restoration), Trestle (data marketplace), CoreAI (AI analytics), RiskMeter, and Hazard HQ Command Central.
Certifications held
4
Maturity
Enterprise
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on nextgearsolutions.com“CoreLogic/Next Gear Solutions officially earned SOC 2 Type II certification on November 17, 2022, for its three SaaS-based offerings: DASH, MICA, and SettleAssist. Audited by Grant Thornton (AICPA-authorized). Annual renewal required. IMPORTANT SCOPE LIMIT: this certification covers only the Next Gear Solutions subsidiary products. No public evidence of SOC 2 coverage for the core Cotality platform (Matrix, Trestle, CoreAI, etc.).”
Verify on cotality.com“CoreLogic, Inc. and our U.S. entities and subsidiaries Symbility Solutions Corp., Next Gear Solutions, LLC, and CoreLogic Solutions, LLC have certified our participation in the EU-U.S. Data Privacy Framework, the UK extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework with the U.S. Department of Commerce.”
Verify on cotality.com“CoreLogic, Inc. and our U.S. entities and subsidiaries ... have certified our participation in ... the UK extension to the EU-U.S. Data Privacy Framework.”
Verify on cotality.com“CoreLogic, Inc. and our U.S. entities and subsidiaries ... have certified our participation in ... the Swiss-U.S. Data Privacy Framework with the U.S. Department of Commerce.”
> Show 9 unconfirmed / not-held certifications
source: cotality.comNo public evidence of ISO 27001 certification found on any Cotality or CoreLogic domain, trust center, or third-party certification registry.
source: cotality.comNo formal GDPR certification exists as a recognized standard. CoreLogic handles EU-EEA personal data transfers via the EU-US Data Privacy Framework (certified). The DPF policy references GDPR compliance obligations. No adequacy decision or BCR documented publicly.
source: cotality.comNo public evidence of HIPAA compliance documentation, Business Associate Agreement template, or HIPAA attestation found on the Cotality or CoreLogic domains. Law Insider references suggest CoreLogic contracts reference HIPAA Rules in client agreements, but no formal compliance page or attestation was found.
source: cotality.comNo public evidence of PCI DSS certification or compliance documentation found on the Cotality or CoreLogic domains.
source: cotality.comNo public evidence of FedRAMP authorization found. Cotality serves government clients but no FedRAMP listing or documentation was identified.
source: cotality.comNo public evidence found. Cotality operates CoreAI for property analytics but no AI governance certification was identified.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
United States, Canada, United Kingdom, Australia, New Zealand (per privacy policy: 'generally stored and processed in the United States or Canada' but 'may be stored and processed in and transferred between any of the countries in which we operate')
CoreAI intelligence uses Cotality's own proprietary property databases (98%+ property coverage, 1M+ data points refreshed monthly, 30 years of historical data). No explicit policy language found regarding training AI models on customer-submitted data. The terms of use grant Cotality a broad royalty-free, perpetual license to use submitted content but do not specifically address AI model training. Posture is unclear and warrants direct vendor clarification.
// Security controls
Encryption in transit
TLS with SHA-256; no insecure SSL/TLS versions available (per UpGuard external scan)
upguard.comEmail security
DMARC and SPF configured with strict filtering (per UpGuard external scan)
upguard.comCookie security
Secure cookies and HttpOnly cookies implemented; server headers do not expose version information
upguard.comResponsible disclosure program
Formal vulnerability submission program at cotality.com/legal/responsible-disclosure-policy
cotality.comKnown gaps (external scan)
HSTS not enforced; DNSSEC disabled; HTTP port exposed to internet
upguard.comPast security incident
February 2019: RiskMeter database breach - client credentials and property data accessed by unauthorized party and moved to external server. Lawsuit filed; no evidence of public data leak reported.
appraisersblogs.com// Products & data scope
data: MLS property listing data, agent and buyer account data
#1 MLS platform in North America. No explicit SOC 2 documentation found for this product.
data: Buyer preferences, search history, agent-client communications
Integrated with Matrix. No explicit SOC 2 documentation found.
data: Insurance claim data, property damage documentation, contractor data
SOC 2 Type II certified (Nov 2022, Grant Thornton). Annual audits required.
data: Insurance claim details, policyholder data, property data
SOC 2 Type II certified (Nov 2022, Grant Thornton). Annual audits required.
data: Settlement calculations, policyholder data, claim outcomes
SOC 2 Type II certified (Nov 2022, Grant Thornton). Annual audits required.
data: MLS data, RESO-certified property data, third-party data access
Supports RESO certification for data standards. No explicit SOC 2 or ISO 27001 found.
data: Cotality's proprietary property database; customer query inputs
Uses machine learning, generative models, and human judgment on Cotality's own data. No AI governance certification (ISO 42001) found.
data: Property addresses, risk scores, natural hazard exposure data
Was subject to a 2019 data breach (client credentials accessed; no public leak confirmed).
data: Event data, property exposure, loss estimates
Used by government and insurance clients.
data: 150 million UK property records, 25+ years of transaction history
UK-specific product using next-generation AI modeling.
// What to watch
- IDENTITY/REBRAND: Vendor slug is 'corelogic' but the company rebranded to Cotality in March 2025. Legal entity remains CoreLogic, Inc. (copyright footer on cotality.com confirms). Listings and references must be kept consistent.
- SOC 2 SCOPE LIMIT: SOC 2 Type II covers only Next Gear Solutions subsidiary products (DASH, MICA, SettleAssist). No public evidence that the core Cotality platform products (Matrix, Trestle, CoreAI, RiskMeter) are SOC 2 certified. Presenting SOC 2 without this caveat would be an over-claim.
- SECURITY PAGE NOT LOADING: cotality.com/legal/security returned responsible disclosure policy content rather than a security compliance page. The absence of a trust center or a working security compliance page creates a transparency gap.
- PAST SECURITY INCIDENT: February 2019 breach of RiskMeter database accessed client credentials and property data. No public data leak confirmed, but lawsuit was filed. Resolved but notable for a data-aggregator at this scale.
- NO PUBLIC DPA TEMPLATE: No Data Processing Agreement template found publicly. Business customers must request DPA terms directly. Relevant for GDPR procurement workflows.
- AI TRAINING POSTURE UNCLEAR: Terms of use grant broad royalty-free license to submitted content. No explicit opt-out or prohibition on AI model training from customer interactions. Warrants direct vendor clarification for enterprise customers.
- HIPAA/PCI DSS GAPS: No public compliance documentation found despite serving insurance and financial services sectors that typically require these.
// At a glance
Pricing model
Enterprise B2B licensing, API subscriptions, SaaS per-seat or per-product; no self-serve consumer pricing
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on CoreLogic, Inc. (operating as Cotality since March 2025)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
cotality.com