// Trust & Security Report

    Ylopo, LLC logo

    Ylopo, LLC

    AI-driven digital marketing and lead-generation platform for real estate agents/teams: acquisition (Google/Facebook/Instagram ad campaigns), AI² conversational agents (AI Voice + AI Text follow-up and qualification), lead nurture, and CRM integration/websites.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    System and Organization Controls (SOC) 2 Type 2 report for the period of June 1, 2024, to May 30, 2025 (auditor: risk3sixty Compliance, LLC)

    Verify on trust.ylopo.com
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence. Trust center (SafeBase-hosted) lists only SOC 2 Type 2 under Compliance; no ISO 27001 badge, report, or mention found on trust.ylopo.com, ylopo.com/soc-2-compliance, or the privacy policy/ToS.

    source: trust.ylopo.com
    GDPR (posture)
    NOT CONFIRMED

    Privacy policy includes a California/CCPA disclosure section but has no GDPR section, no mention of EU data subject rights, lawful basis, EU representative, or Standard Contractual Clauses.

    source: ylopo.com
    HIPAA
    NOT CONFIRMED

    No public evidence. Not applicable to Ylopo's product scope (real estate lead marketing/CRM, not healthcare data); no HIPAA mention anywhere in privacy policy, ToS, or trust center.

    source: ylopo.com
    PCI DSS
    NOT CONFIRMED

    No public evidence found on trust center or legal pages; unknown/no evidence.

    source: trust.ylopo.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence. Product is built around AI voice/text agents but no AI-governance certification is listed on the trust center.

    source: trust.ylopo.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found on trust center; unknown/no evidence.

    source: trust.ylopo.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    United States (privacy policy states data is stored/processed at company facilities and third-party facilities; no explicit multi-region or EU hosting statement found)

    No explicit statement on whether lead/call/text data is used to train Ylopo's AI models. ToS grants Ylopo an 'irrevocable, perpetual, transferable, non-exclusive, fully-paid, worldwide, royalty-free license' to use 'User Submissions' for any purpose, and claims free use of any submitted feedback/ideas without attribution or compensation - broad enough to cover AI training but not stated as such, and no opt-out mechanism is described for this use. Treat as unresolved/ambiguous rather than confirmed either way.

    // Security controls

    Encryption in transit and at rest

    "All sensitive data is encrypted both at rest and in transit"

    ylopo.com

    Access controls / MFA

    "Strong access controls, including multi-factor authentication and password policies, to ensure that only authorized personnel can access sensitive data"

    ylopo.com

    Penetration testing

    Trust center lists a 'Pentest Report' document available under Reports (access likely gated/on request)

    trust.ylopo.com

    Cyber insurance

    Trust center lists 'Cyber Insurance' documentation under Legal

    trust.ylopo.com

    Third-party vendor security requirement

    "Third-party vendors that are SOC 2 compliant with appropriate security controls" are required

    ylopo.com

    Subprocessors disclosed

    Trust center Legal section lists subprocessors including Survicate, Twilio, DocuSign, Mailchimp, and Basecamp

    trust.ylopo.com

    Product/infra security program areas listed

    Trust center enumerates Product Security (audit logging, role-based access control), Access Control, Risk Profile, Data Security, App Security, Infrastructure, Endpoint Security, Network Security, and Corporate Security sections (detail gated behind access request)

    trust.ylopo.com

    // Products & data scope

    Ylopo Platform (acquisition + nurture + CRM/websites)Real estate marketing / lead generation

    data: Buyer/seller lead contact info (name, phone, email), property search preferences, marketing engagement and ad-attribution data, CRM sync data

    Core offering: Google/Facebook/Instagram acquisition campaigns, dynamic remarketing, lead nurture, agent-branded websites. Sold as packages to individual agents and teams; every lead is stated to be exclusively the customer's ('never sold or shared with anyone but you').

    AI² (AI Voice + AI Text agents)Conversational AI / voice AI

    data: Lead phone numbers and SMS content, call audio/transcripts, qualification answers (timeline, pre-approval status), appointment scheduling data

    Automates up to 90 days of persistent text/voice follow-up per lead (vendor claims 25M+ AI conversations/month, 48% response rate). This is the component most exposed to AI-training and call-recording privacy questions; no dedicated AI privacy/training page was found.

    // What to watch

    • Homepage marketing copy states 'Scale with enterprise-grade security. Ensure your company's data is completely secure and that you are in compliance with the latest standards' - an absolute claim ('completely secure') that outruns the actual documented cert coverage (SOC 2 Type 2 only; no ISO 27001, no HIPAA, no documented GDPR program).
    • SOC 2 Type 2 report on file covers June 1, 2024 - May 30, 2025; as of this assessment (July 2026) that period has lapsed. Confirm via trust.ylopo.com (request access) that a current/renewed report exists before treating SOC 2 as presently valid.
    • No public evidence of a GDPR compliance program (no DPA, no EU representative, no SCCs referenced); privacy policy addresses only CCPA. Low risk for a US-focused real estate SMB tool but should be disclosed as a caveat, not assumed absent by omission alone.
    • AI training posture on lead/call data is unresolved: ToS grants a broad perpetual license over 'User Submissions' with no explicit AI-training statement and no opt-out described. Flag for buyer follow-up rather than asserting an answer either way.
    • Heavy AI-agent product surface (AI Voice/Text placing calls and texts to consumers) with no AI-governance certification (ISO/IEC 42001, CSA STAR AI) - worth noting given the product's core value prop is autonomous AI outreach.

    // At a glance

    Pricing model

    Subscription/package-based for real estate agents and teams; exact pricing gated behind demo/sales contact

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Ylopo, LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.ylopo.com

    > Browse all vendor trust reports