// Trust & Security Report

    Roof AI logo

    Roof AI

    AI-powered lead engagement chatbot for real estate brokerages: an "AI Assistant" website widget that qualifies buyer intent, captures and routes leads to agents/CRM, plus natural-language property search and automated follow-up campaigns. Single product line marketed under Solutions/Features (AI Assistant, AI Search, AI Conversations, Follow-up); no separate consumer, enterprise, or API tiers documented.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (posture)
    HELD

    "The right to access the Personal Information we hold about you" and "the right to require us to rectify any inaccurate Personal Information"; customers additionally have rights to erasure, object to processing, data portability, and "request a restriction of the processing of your Personal Information."

    Verify on roofai.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    No public evidence. No trust center, security page, or SOC 2 mention found on roofai.com (home, privacy policy, terms of service, acceptable use policy, subprocessors page all reviewed).

    source: roofai.com
    ISO 27001
    NOT CONFIRMED

    No public evidence. No ISO 27001 mention found anywhere on the vendor's own domain.

    source: roofai.com
    HIPAA
    NOT CONFIRMED

    No public evidence and out of scope: Roof AI is a real estate lead-engagement chatbot, not a healthcare product; the privacy policy contains no HIPAA reference.

    source: roofai.com
    PCI DSS
    NOT CONFIRMED

    No public evidence. Privacy policy notes message logs "may contain information such as, without limitation, names, email addresses, phone numbers, addresses, passwords, payment information" but no PCI DSS or card-data-handling certification is mentioned.

    source: roofai.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence. No mention on any reviewed vendor-domain page.

    source: roofai.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    No public evidence of an AI-governance certification. Marketing copy references internal "Fair Housing Classifiers" and "content safety systems" but these are described as product features, not a certified AI management system.

    source: roofai.com
    CSA STAR
    NOT CONFIRMED

    No public evidence. No CSA STAR mention found on vendor domain.

    source: roofai.com
    FedRAMP
    NOT CONFIRMED

    No public evidence; not applicable to this SMB/mid-market real estate SaaS product.

    source: roofai.com

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Not offered

    Data region

    United States. Subprocessors page lists Auth0/Okta, Google Cloud Platform, Honeycomb, IPinfo, Microsoft Azure OpenAI, Postmark, Sentry, SmartyStreets, and Twilio, all located in the USA. Privacy policy: information "may be transferred to, and stored at, United States of America outside the European Economic Area."

    Privacy policy: "Roof AI utilizes anonymized 'End User' interactions to information and train our natural language understanding and machine learning algorithms." Terms of service: "To enhance the AI Assistant and maintain service quality, we may use anonymized data from your interactions to refine AI Models." Data is described as anonymized before use, but no explicit customer/end-user opt-out mechanism was found in the captured text, and no separate current AI-specific policy page exists to cross-check against these legacy-style ToS/privacy statements.

    // Security controls

    Encryption in transit

    not verified: no explicit statement found on any reviewed vendor page

    roofai.com

    Encryption at rest

    not verified: no explicit statement found on any reviewed vendor page

    roofai.com

    Authentication

    Auth0 by Okta used for user authentication (subprocessor)

    roofai.com

    Hosting infrastructure

    Google Cloud Platform (hosting), Microsoft Azure OpenAI (AI model inference)

    roofai.com

    Monitoring

    Sentry (error monitoring), Honeycomb (performance monitoring)

    roofai.com

    Formal security program / trust center

    not verified: no trust center, security whitepaper, or documented security program found on the vendor domain

    roofai.com

    // Products & data scope

    AI Assistant (website chat widget)Real estate lead-engagement chatbot

    data: Visitor name, email, phone, address, IP address, location, full conversation transcripts (message logs noted to potentially contain payment information)

    Primary product. Engages site visitors 24/7, qualifies buyer intent, captures contact details, routes leads to agents/CRM by email or direct integration.

    AI Search / Natural Language SearchProperty search feature

    data: Visitor search queries, session context

    Conversational property search layered on brokerage listing/MLS data; marketed as a distinct feature page but runs on the same underlying platform and data flows as the AI Assistant.

    CRM / MLS / brokerage system integrationsData integration layer

    data: Brokerage CRM records, MLS listing data, agent directories

    Pulls listings, agents, and brand information in real time and pushes qualified leads into the brokerage's CRM.

    // What to watch

    • No trust center, security page, or third-party certification (SOC 2, ISO 27001, HIPAA, PCI DSS, ISO 42001, CSA STAR) found anywhere on the vendor's own domain despite the vendor serving named enterprise real estate brokerages (Briggs Freeman, BHHS Fox & Roach, RealtySouth, Harry Norman Realtors per their own homepage) - enterprise buyers should request compliance documentation directly.
    • Identity-conflation risk: web search surfaced several similarly named but distinct companies in the roofing/real-estate AI space (a 'Roof AI - Roofing Visualizer' mobile app with privacy policy at remodelai.app, ai-roofing.com, RowebAI, RoofEra.ai, agentroof.com).
    • AI training on anonymized end-user interaction data is disclosed, but no explicit customer/end-user opt-out mechanism or tier-based training exclusion was found in the current privacy policy or terms of service - flag for buyers who require a no-training guarantee.
    • Privacy policy notes chat message logs may contain 'payment information' with no PCI DSS certification or card-handling control disclosed anywhere on the site - worth a direct question to the vendor before enabling any payment-adjacent flows.
    • No Data Processing Agreement (DPA) is referenced in the public Privacy Policy or Terms of Service; GDPR-regulated customers should request one directly from Roof AI's sales team.
    • Third-party company-data aggregators (e.g. Crunchbase) show stale/minimal funding data (a 2017 convertible note) that conflicts with the customer scale described on the vendor's own site; this was not used to set maturity and should not be treated as a reliable freshness signal.

    // At a glance

    Pricing model

    Freemium entry ("Start for free") with custom brokerage pricing via sales contact; no public price list found

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Roof AI's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    roofai.com

    > Browse all vendor trust reports