// Trust & Security Report
Mercurio Platform, S.L. (d/b/a Restb.ai)
Computer-vision API and MLS/appraisal products for real estate photo analysis: image tagging/classification, property condition and quality scoring, visual similarity/comparable-property matching, auto-generated captions and descriptions, watermark/duplicate detection, and Photo Compliance (detects logos, yard signs, people, license plates in listing photos). Sold via API and packaged into MLS, AVM/iBuyer, appraisal/inspection, and insurance-focused product lines.
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on restb.ai“"This privacy policy is adapted to the Spanish and European regulations and it is compliant with the following rules: Regulation (EU) 2016/679 ... GDPR." and "You appoint us as a data processor of Your Data, to process Your Data on your behalf for the purpose of providing the Service."”
> Show 8 unconfirmed / not-held certifications
source: restb.aiNo public evidence. No trust center exists (restb.ai/security and restb.ai/trust both return 404), and the combined Service & Privacy Policy at restb.ai/terms-conditions/ does not reference SOC 2 in any form.
source: restb.aiNo public evidence. The Terms & Conditions describe only 'basic security measures set out in Spanish Royal Decree 1720/2007' and explicitly state 'no higher level measures are available for the Service' — no ISO 27001 or equivalent framework is claimed.
source: restb.aiNo public evidence. Product is a real estate imagery API; no HIPAA reference anywhere on the vendor's site, and the Terms explicitly prohibit customers from submitting health-related sensitive data through the service.
source: restb.aiNo public evidence of a PCI DSS attestation. Not applicable to the product (no payment-card data processed) and not claimed anywhere on the vendor's site.
source: restb.aiNo public evidence. Not mentioned in the Terms & Conditions or anywhere else on the vendor's domain.
source: restb.aiNo public evidence of an AI-governance certification. No AI-specific compliance page exists on the vendor's site.
source: restb.aiNo public evidence. Not mentioned anywhere on the vendor's domain.
source: restb.aiNo public evidence, and not applicable — this is a commercial real estate imagery product with no indication of US federal government sales or authorization.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Sub-processor Amazon Web Services, Inc., 'with servers in the EU and in the USA, for the purpose of delivering your content (images and metadata) to your end-users.' No dedicated EU-only or US-only hosting option is documented.
The Terms state Restb.ai will 'only process the personal data as specified by these Terms and in accordance with your instructions' and '(d) will not use Your Data for any purposes other than those related to the performance of the Services.' This restricts use of customer data to service delivery but does not explicitly say whether 'performance of the Services' includes using submitted images to improve/retrain the underlying computer-vision models, and there is no opt-out mechanism described. No separate AI-training or model-improvement policy page exists. Treat as unconfirmed rather than a clean no.
// Security controls
Data processor role (GDPR)
Restb.ai contractually acts as data processor; customer is data controller.
restb.aiBaseline security measures
"we implement basic security measures set out in Spanish Royal Decree 1720/2007 and no higher level measures are available for the Service." (Note: RD 1720/2007 was the implementing regulation for Spain's pre-GDPR data protection law and was superseded by the LOPDGDD in 2018; this appears to be legacy contract language rather than a current, named security framework.)
restb.aiSub-processors
Discloses one named sub-processor: Amazon Web Services, Inc. (EU and US servers), used to deliver customer content to end-users.
restb.aiData retention / deletion
"Upon the expiry or termination of this Agreement or de-registration, or upon request of the Customer, RESTB.AI shall cease any and all use of Your Data and will destroy or return it to you."
restb.aiProhibited data categories
Terms prohibit customers from submitting special-category/sensitive personal data (racial origin, union membership, religion, ideology, sex life, health, criminal offenses) through the service.
restb.aiWarranty disclaimer
"The products are provided on a strictly 'as is' basis without warranty of any kind."
restb.aiTrust center / security page
Not verified. No trust center; restb.ai/security and restb.ai/trust both return HTTP 404.
restb.ai// Products & data scope
data: Processes customer-submitted property photos and associated metadata for tagging, classification, and analysis.
Underlying model powering the packaged solutions below; over 1 billion property photos processed monthly per vendor claims.
data: Listing photos ingested via MLS partner pipelines; reaches 1M+ real estate agents through 26+ MLS deployments per vendor press materials.
Bundles image tagging, captions, and property description generation for MLS platforms.
data: Scans listing photos for policy violations (logos, watermarks, yard signs, people, license plates).
Marketed as helping ADA/SEO compliance via auto-generated alt text; this is accessibility/SEO tooling, not a security certification.
data: Property condition and quality scoring from photo sets, used by investors, appraisers, and inspection firms.
No distinct security/compliance posture documented separately from the core Terms & Conditions; treated as the same data-processing terms.
data: Photo-based property condition analysis for underwriting workflows.
No insurance-specific compliance documentation (e.g., state DOI attestations) found on the vendor's site.
// What to watch
- No trust center and no SOC 2 / ISO 27001 / any third-party security certification found anywhere on the vendor's domain (restb.ai/security and restb.ai/trust both 404) — for a vendor processing large volumes of MLS/listing imagery at scale, this is a notable gap to disclose to prospective enterprise buyers.
- The Terms & Conditions cite 'Spanish Royal Decree 1720/2007' as the security baseline and explicitly state 'no higher level measures are available' — RD 1720/2007 predates GDPR and was superseded domestically in 2018, suggesting the legal text may be outdated/unmaintained rather than reflecting current security practice.
- AI-training posture on customer imagery is not explicitly confirmed or denied by the vendor; the Terms restrict data use to 'performance of the Services' but do not clarify whether that includes using customer photos to improve the underlying computer-vision models, and no opt-out is documented.
// At a glance
Pricing model
Subscription/API-usage based (tiered access to functionality such as automated descriptions and visual similarity search); public pricing not fully disclosed, contact-for-demo model.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Mercurio Platform, S.L. (d/b/a Restb.ai)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
restb.ai