// Trust & Security Report

    Reonomy, Inc. (subsidiary of Altus Group) logo

    Reonomy, Inc. (subsidiary of Altus Group)

    Commercial real estate data platform providing property intelligence, owner records, transaction history, and market data across 53M+ US properties via web app and API solutions

    Certifications held

    0

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    > Show 9 unconfirmed / not-held certifications
    SOC 2 Type 1
    NOT CONFIRMED

    No public evidence Reonomy holds SOC 2. Reonomy's Master Subscription Agreement and Privacy Policy contain no mention of SOC 2. Parent company Altus's trust center (trust.altus.pro) does not name Reonomy and shows Altus only 'working towards SOC Type 2' (not yet certified).

    source: reonomy.com
    SOC 2 Type 2
    NOT CONFIRMED

    No public evidence Reonomy holds SOC 2. Reonomy's Master Subscription Agreement and Privacy Policy contain no mention of SOC 2, and parent Altus's trust center shows Altus only 'working towards SOC Type 2' without naming Reonomy. MSA disclaims security: 'Reonomy does not warrant that the Reonomy Services are completely free from all bugs, errors, or omissions, or will ensure complete security.'

    source: reonomy.com
    ISO 27001
    NOT CONFIRMED

    No public evidence Reonomy holds ISO 27001. Reonomy does not claim ISO 27001 in its legal documents. Parent company Altus's trust center (trust.altus.pro) shows Altus holds ISO/IEC 27001:2022, but Reonomy is not named or scoped there and a parent certification does not extend to the Reonomy service.

    source: trust.altus.pro
    HIPAA
    NOT CONFIRMED

    No public evidence. Privacy Policy makes no mention of HIPAA compliance. Not applicable to commercial real estate data platform use case.

    source: reonomy.com
    GDPR Compliance
    NOT CONFIRMED

    Privacy Policy contains no mention of GDPR compliance, DPA, or EU data protection obligations. Data processing statement: 'Your information...may be stored and processed in the United States or any other country' with no specific regional restrictions or GDPR safeguards noted.

    source: reonomy.com
    PCI DSS
    NOT CONFIRMED

    No public evidence. Not claimed in legal documents.

    source: reonomy.com
    ISO 27017 (Cloud Security)
    NOT CONFIRMED

    No public evidence. Not claimed in legal documents or trust center.

    source: reonomy.com
    ISO 27018 (Cloud PII Protection)
    NOT CONFIRMED

    No public evidence. Not claimed in legal documents.

    source: reonomy.com
    ISO 42001 (AI Management)
    NOT CONFIRMED

    No public evidence. Not claimed. Reonomy uses machine learning and AI models via Databricks but does not claim AI governance certifications.

    source: reonomy.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Unrestricted - US and other countries

    Privacy Policy states Reonomy may 'aggregate and de-identify Customer Data' and 'collect and use Usage Data'. Master Subscription Agreement explicitly incorporates DPA for Personal Data processing. However, no explicit statement on whether de-identified customer data is used for AI model training. Company uses Databricks for ML model development, but training data sources are not publicly documented.

    // Security controls

    Encryption in Transit

    SSL/TLS implemented and current (no major CVE vulnerabilities per UpGuard assessment)

    upguard.com

    Secure Cookies

    NOT IMPLEMENTED - UpGuard report notes 'Secure cookies not used', increasing interception risk

    upguard.com

    HttpOnly Cookie Protection

    NOT IMPLEMENTED - UpGuard report notes 'HttpOnly cookies not used', enabling client-side attacks

    upguard.com

    Content Security Policy

    MISCONFIGURED - 'CSP allows insecure active sources' and 'CSP implemented unsafely'

    upguard.com

    MIME Sniffing Protection

    NOT IMPLEMENTED - 'X-Content-Type-Options is not nosniff', enabling MIME confusion attacks

    upguard.com

    HSTS Implementation

    Partial - HSTS header present but 'not on preload list' and lacks 'includeSubDomains' directive

    upguard.com

    Email Security (DMARC)

    WEAK - 'DMARC policy is p=none', providing no anti-fraud/spoofing protection

    upguard.com

    Email Security (SPF)

    LENIENT - SPF uses '~all' mechanism (soft fail), allowing unauthorized senders to send mail from domain

    upguard.com

    Open Ports

    No open ports detected

    upguard.com

    Malware & Botnet Status

    No malware, phishing, or botnet activity detected

    upguard.com

    // Products & data scope

    Reonomy Web AppSaaS - Commercial Real Estate Intelligence

    data: US commercial property data (53M+ properties), ownership records, transaction history, demographic data

    Browser-based platform for property analysis and owner research. No public security certification. No GDPR or international data residency guarantees.

    Reonomy API / Data SolutionsAPI - Data Platform

    data: Programmatic access to same property/ownership dataset as web app

    API access to commercial real estate database. Same security and compliance limitations as web app.

    // What to watch

    • NO_TRUST_CENTER: Reonomy has no public trust center or security certifications page.
    • NO_CERTIFICATIONS: No SOC 2, ISO 27001, GDPR, HIPAA, or other standard security certifications claimed or verified.
    • WEAK_WEBSITE_SECURITY: UpGuard B-grade (732/950) due to multiple security misconfigurations: missing secure/HttpOnly cookies, unsafe CSP, no MIME sniffing protection, weak HSTS, weak DMARC/SPF policies.
    • CCPA_RIGHTS_VIA_SEPARATE_NOTICE: Privacy Policy references California (CCPA) consumer rights through a separate Location-Based Rights Notice; the service is US-operated and intended for US users. No public metrics on how requests are handled.
    • DATA_RESIDENCY_UNRESTRICTED: Privacy Policy allows data storage in 'any other country' with no specific safeguards, raising concerns for EU customers and GDPR applicability.
    • NO_DPA_PUBLIC: While MSA references DPA for Personal Data, no public Data Processing Agreement is published on vendor website.
    • AI_TRAINING_UNCLEAR: Privacy Policy mentions 'aggregate and de-identify' customer data and company uses Databricks for ML, but no explicit statement on whether customer data (de-identified or not) is used for model training.
    • PARENT_COMPANY_CERTS_NOT_INHERITED: Parent company Altus Group holds ISO 27001, but Reonomy is NOT listed in their trust center as having certifications. Parent certs do not automatically apply to subsidiary.
    • SECURITY_DISCLAIMER: Master Subscription Agreement explicitly disclaims security: 'does not warrant...will ensure complete security'.
    • LIMITED_LIABILITY: MSA caps liability at greater of $1,000 or amount paid in preceding 12 months, limiting recourse for data breaches or compliance violations.

    // At a glance

    Pricing model

    Subscription-based ($400/month for web app on annual subscription; API/bulk data feed available via sales)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Reonomy, Inc. (subsidiary of Altus Group)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    reonomy.com

    > Browse all vendor trust reports