// Trust & Security Report
Ylopo, LLC
AI-driven digital marketing and lead-generation platform for real estate agents/teams: acquisition (Google/Facebook/Instagram ad campaigns), AI² conversational agents (AI Voice + AI Text follow-up and qualification), lead nurture, and CRM integration/websites.
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.ylopo.com“System and Organization Controls (SOC) 2 Type 2 report for the period of June 1, 2024, to May 30, 2025 (auditor: risk3sixty Compliance, LLC)”
> Show 6 unconfirmed / not-held certifications
source: trust.ylopo.comNo public evidence. Trust center (SafeBase-hosted) lists only SOC 2 Type 2 under Compliance; no ISO 27001 badge, report, or mention found on trust.ylopo.com, ylopo.com/soc-2-compliance, or the privacy policy/ToS.
source: ylopo.comPrivacy policy includes a California/CCPA disclosure section but has no GDPR section, no mention of EU data subject rights, lawful basis, EU representative, or Standard Contractual Clauses.
source: ylopo.comNo public evidence. Not applicable to Ylopo's product scope (real estate lead marketing/CRM, not healthcare data); no HIPAA mention anywhere in privacy policy, ToS, or trust center.
source: trust.ylopo.comNo public evidence found on trust center or legal pages; unknown/no evidence.
source: trust.ylopo.comNo public evidence. Product is built around AI voice/text agents but no AI-governance certification is listed on the trust center.
source: trust.ylopo.comNo public evidence found on trust center; unknown/no evidence.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
United States (privacy policy states data is stored/processed at company facilities and third-party facilities; no explicit multi-region or EU hosting statement found)
No explicit statement on whether lead/call/text data is used to train Ylopo's AI models. ToS grants Ylopo an 'irrevocable, perpetual, transferable, non-exclusive, fully-paid, worldwide, royalty-free license' to use 'User Submissions' for any purpose, and claims free use of any submitted feedback/ideas without attribution or compensation - broad enough to cover AI training but not stated as such, and no opt-out mechanism is described for this use. Treat as unresolved/ambiguous rather than confirmed either way.
// Security controls
Encryption in transit and at rest
"All sensitive data is encrypted both at rest and in transit"
ylopo.comAccess controls / MFA
"Strong access controls, including multi-factor authentication and password policies, to ensure that only authorized personnel can access sensitive data"
ylopo.comPenetration testing
Trust center lists a 'Pentest Report' document available under Reports (access likely gated/on request)
trust.ylopo.comThird-party vendor security requirement
"Third-party vendors that are SOC 2 compliant with appropriate security controls" are required
ylopo.comSubprocessors disclosed
Trust center Legal section lists subprocessors including Survicate, Twilio, DocuSign, Mailchimp, and Basecamp
trust.ylopo.comProduct/infra security program areas listed
Trust center enumerates Product Security (audit logging, role-based access control), Access Control, Risk Profile, Data Security, App Security, Infrastructure, Endpoint Security, Network Security, and Corporate Security sections (detail gated behind access request)
trust.ylopo.com// Products & data scope
data: Buyer/seller lead contact info (name, phone, email), property search preferences, marketing engagement and ad-attribution data, CRM sync data
Core offering: Google/Facebook/Instagram acquisition campaigns, dynamic remarketing, lead nurture, agent-branded websites. Sold as packages to individual agents and teams; every lead is stated to be exclusively the customer's ('never sold or shared with anyone but you').
data: Lead phone numbers and SMS content, call audio/transcripts, qualification answers (timeline, pre-approval status), appointment scheduling data
Automates up to 90 days of persistent text/voice follow-up per lead (vendor claims 25M+ AI conversations/month, 48% response rate). This is the component most exposed to AI-training and call-recording privacy questions; no dedicated AI privacy/training page was found.
// What to watch
- Homepage marketing copy states 'Scale with enterprise-grade security. Ensure your company's data is completely secure and that you are in compliance with the latest standards' - an absolute claim ('completely secure') that outruns the actual documented cert coverage (SOC 2 Type 2 only; no ISO 27001, no HIPAA, no documented GDPR program).
- SOC 2 Type 2 report on file covers June 1, 2024 - May 30, 2025; as of this assessment (July 2026) that period has lapsed. Confirm via trust.ylopo.com (request access) that a current/renewed report exists before treating SOC 2 as presently valid.
- No public evidence of a GDPR compliance program (no DPA, no EU representative, no SCCs referenced); privacy policy addresses only CCPA. Low risk for a US-focused real estate SMB tool but should be disclosed as a caveat, not assumed absent by omission alone.
- AI training posture on lead/call data is unresolved: ToS grants a broad perpetual license over 'User Submissions' with no explicit AI-training statement and no opt-out described. Flag for buyer follow-up rather than asserting an answer either way.
- Heavy AI-agent product surface (AI Voice/Text placing calls and texts to consumers) with no AI-governance certification (ISO/IEC 42001, CSA STAR AI) - worth noting given the product's core value prop is autonomous AI outreach.
// At a glance
Pricing model
Subscription/package-based for real estate agents and teams; exact pricing gated behind demo/sales contact
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Ylopo, LLC's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.ylopo.com