// Trust & Security Report

    CoreLogic, Inc. (operating as Cotality since March 2025) logo

    CoreLogic, Inc. (operating as Cotality since March 2025)

    Real estate property data, analytics, AI, and SaaS for real estate professionals, insurance, mortgage, and government. Key products: Matrix (MLS platform), OneHome (buyer portal), DASH/MICA/SettleAssist (insurance/restoration), Trestle (data marketplace), CoreAI (AI analytics), RiskMeter, and Hazard HQ Command Central.

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    CoreLogic/Next Gear Solutions officially earned SOC 2 Type II certification on November 17, 2022, for its three SaaS-based offerings: DASH, MICA, and SettleAssist. Audited by Grant Thornton (AICPA-authorized). Annual renewal required. IMPORTANT SCOPE LIMIT: this certification covers only the Next Gear Solutions subsidiary products. No public evidence of SOC 2 coverage for the core Cotality platform (Matrix, Trestle, CoreAI, etc.).

    Verify on nextgearsolutions.com
    EU-US Data Privacy Framework (DPF)
    HELD

    CoreLogic, Inc. and our U.S. entities and subsidiaries Symbility Solutions Corp., Next Gear Solutions, LLC, and CoreLogic Solutions, LLC have certified our participation in the EU-U.S. Data Privacy Framework, the UK extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework with the U.S. Department of Commerce.

    Verify on cotality.com
    UK Extension to EU-US DPF
    HELD

    CoreLogic, Inc. and our U.S. entities and subsidiaries ... have certified our participation in ... the UK extension to the EU-U.S. Data Privacy Framework.

    Verify on cotality.com
    Swiss-US Data Privacy Framework (DPF)
    HELD

    CoreLogic, Inc. and our U.S. entities and subsidiaries ... have certified our participation in ... the Swiss-U.S. Data Privacy Framework with the U.S. Department of Commerce.

    Verify on cotality.com
    > Show 9 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on any Cotality or CoreLogic domain, trust center, or third-party certification registry.

    source: cotality.com
    GDPR (formal certification)
    NOT CONFIRMED

    No formal GDPR certification exists as a recognized standard. CoreLogic handles EU-EEA personal data transfers via the EU-US Data Privacy Framework (certified). The DPF policy references GDPR compliance obligations. No adequacy decision or BCR documented publicly.

    source: cotality.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance documentation, Business Associate Agreement template, or HIPAA attestation found on the Cotality or CoreLogic domains. Law Insider references suggest CoreLogic contracts reference HIPAA Rules in client agreements, but no formal compliance page or attestation was found.

    source: cotality.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification or compliance documentation found on the Cotality or CoreLogic domains.

    source: cotality.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found. Cotality serves government clients but no FedRAMP listing or documentation was identified.

    source: cotality.com
    ISO 27017
    NOT CONFIRMED

    No public evidence found.

    source: cotality.com
    ISO 27018
    NOT CONFIRMED

    No public evidence found.

    source: cotality.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found.

    source: cotality.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence found. Cotality operates CoreAI for property analytics but no AI governance certification was identified.

    source: cotality.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    United States, Canada, United Kingdom, Australia, New Zealand (per privacy policy: 'generally stored and processed in the United States or Canada' but 'may be stored and processed in and transferred between any of the countries in which we operate')

    CoreAI intelligence uses Cotality's own proprietary property databases (98%+ property coverage, 1M+ data points refreshed monthly, 30 years of historical data). No explicit policy language found regarding training AI models on customer-submitted data. The terms of use grant Cotality a broad royalty-free, perpetual license to use submitted content but do not specifically address AI model training. Posture is unclear and warrants direct vendor clarification.

    // Security controls

    Encryption in transit

    TLS with SHA-256; no insecure SSL/TLS versions available (per UpGuard external scan)

    upguard.com

    Email security

    DMARC and SPF configured with strict filtering (per UpGuard external scan)

    upguard.com

    Cookie security

    Secure cookies and HttpOnly cookies implemented; server headers do not expose version information

    upguard.com

    External security rating

    UpGuard: A rating, 804/950

    upguard.com

    Responsible disclosure program

    Formal vulnerability submission program at cotality.com/legal/responsible-disclosure-policy

    cotality.com

    Known gaps (external scan)

    HSTS not enforced; DNSSEC disabled; HTTP port exposed to internet

    upguard.com

    Past security incident

    February 2019: RiskMeter database breach - client credentials and property data accessed by unauthorized party and moved to external server. Lawsuit filed; no evidence of public data leak reported.

    appraisersblogs.com

    // Products & data scope

    MatrixMLS Platform

    data: MLS property listing data, agent and buyer account data

    #1 MLS platform in North America. No explicit SOC 2 documentation found for this product.

    OneHomeReal Estate Buyer/Agent Portal

    data: Buyer preferences, search history, agent-client communications

    Integrated with Matrix. No explicit SOC 2 documentation found.

    DASHProperty Restoration Job Management (SaaS)

    data: Insurance claim data, property damage documentation, contractor data

    SOC 2 Type II certified (Nov 2022, Grant Thornton). Annual audits required.

    MICAInsurance Claims Management (SaaS)

    data: Insurance claim details, policyholder data, property data

    SOC 2 Type II certified (Nov 2022, Grant Thornton). Annual audits required.

    SettleAssistInsurance Settlement (SaaS)

    data: Settlement calculations, policyholder data, claim outcomes

    SOC 2 Type II certified (Nov 2022, Grant Thornton). Annual audits required.

    TrestleReal Estate Data Marketplace / API

    data: MLS data, RESO-certified property data, third-party data access

    Supports RESO certification for data standards. No explicit SOC 2 or ISO 27001 found.

    CoreAIAI/ML Analytics Platform

    data: Cotality's proprietary property database; customer query inputs

    Uses machine learning, generative models, and human judgment on Cotality's own data. No AI governance certification (ISO 42001) found.

    RiskMeterNatural Hazard Risk Assessment

    data: Property addresses, risk scores, natural hazard exposure data

    Was subject to a 2019 data breach (client credentials accessed; no public leak confirmed).

    Hazard HQ Command CentralNatural Catastrophe Intelligence

    data: Event data, property exposure, loss estimates

    Used by government and insurance clients.

    Precision Valuations (UK)AI Property Valuation

    data: 150 million UK property records, 25+ years of transaction history

    UK-specific product using next-generation AI modeling.

    // What to watch

    • IDENTITY/REBRAND: Vendor slug is 'corelogic' but the company rebranded to Cotality in March 2025. Legal entity remains CoreLogic, Inc. (copyright footer on cotality.com confirms). Listings and references must be kept consistent.
    • SOC 2 SCOPE LIMIT: SOC 2 Type II covers only Next Gear Solutions subsidiary products (DASH, MICA, SettleAssist). No public evidence that the core Cotality platform products (Matrix, Trestle, CoreAI, RiskMeter) are SOC 2 certified. Presenting SOC 2 without this caveat would be an over-claim.
    • SECURITY PAGE NOT LOADING: cotality.com/legal/security returned responsible disclosure policy content rather than a security compliance page. The absence of a trust center or a working security compliance page creates a transparency gap.
    • PAST SECURITY INCIDENT: February 2019 breach of RiskMeter database accessed client credentials and property data. No public data leak confirmed, but lawsuit was filed. Resolved but notable for a data-aggregator at this scale.
    • NO PUBLIC DPA TEMPLATE: No Data Processing Agreement template found publicly. Business customers must request DPA terms directly. Relevant for GDPR procurement workflows.
    • AI TRAINING POSTURE UNCLEAR: Terms of use grant broad royalty-free license to submitted content. No explicit opt-out or prohibition on AI model training from customer interactions. Warrants direct vendor clarification for enterprise customers.
    • HIPAA/PCI DSS GAPS: No public compliance documentation found despite serving insurance and financial services sectors that typically require these.

    // At a glance

    Pricing model

    Enterprise B2B licensing, API subscriptions, SaaS per-seat or per-product; no self-serve consumer pricing

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on CoreLogic, Inc. (operating as Cotality since March 2025)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    cotality.com

    > Browse all vendor trust reports