Built On A Foundation Of Trust.
A permanent rental record is only as valuable as the controls protecting it. Here's exactly how Oscar protects landlord ledgers and tenant identity data — and the compliance work we're doing to keep it that way.
Encryption Everywhere
TLS 1.2+ in transit. AES-256 envelope encryption at rest. Sensitive PII (SSNs, bank tokens) is encrypted at the field level with keys held in a managed KMS, separate from the application database.
Least-Privilege Access
Row-Level Security on every table. Landlords only see their own units. Tenants only see their own profile. Oscar staff cannot read tenant PII outside of an audited support request the tenant initiated.
Data Residency & Backups
Data is hosted on US-region infrastructure with point-in-time recovery, encrypted off-site backups, and a tested disaster-recovery runbook.
FCRA-Grade Screening
Tenant consent is captured and timestamped. Adverse-action notices are generated automatically. Disputes follow a regulated review timeline with written outcomes.
Tenant-Owned Records
Tenants control what they share, with whom, and for how long. Shares are scoped, time-bound, and revocable. Tenants can dispute or annotate any entry on their record.
Hardened Infrastructure
Production secrets live in a managed secret store, never in code or logs. CI runs dependency and static-analysis scans on every change. All admin access requires SSO + MFA.
Where We Stand Today.
Honest status — not marketing claims. Ask us for the latest attestation letter or our security questionnaire response.
| Framework | Status |
|---|---|
| SOC 2 Type II | In progress |
| FCRA workflow | Implemented |
| GLBA (consumer financial data) | Implemented |
| State fair-housing rules | Implemented |
| GDPR / CCPA data rights | Implemented |
| HIPAA | Not in scope |
Found Something? Tell Us.
We run a responsible-disclosure program. Email security@oscar.com. First response within 48 hours, no legal action against good-faith research.
This page reflects current production controls. We update it when controls change — see the changelog for security-relevant updates.