Your Tenants' Data and AI: What Agents Should Be Asking

AI tools are handling more tenant data than ever. Phone calls, emails, maintenance requests, compliance records, personal information. For agencies using AI to manage communications and operations, that data flows through a third-party system 24/7.

Tthe proptech market is moving fast, and the security conversation can get skipped in favour of feature demos and pricing. But if you're trusting a platform with your tenants' names, addresses, phone numbers, and repair histories, you should know exactly how that data is stored, who can access it, and what happens if something goes wrong.

Here's what to look for.

Start with the certifications

The baseline you should expect from any AI provider handling tenant data:

ISO 27001:2022 is the international standard for information security management. It means a company has been independently audited and certified for how it manages data risks, from access controls to incident response. The ICO references ISO 27001 as an example of appropriate technical and organisational measures under UK GDPR.

UK GDPR compliance covers a published data processing agreement (DPA), clear retention policies, documented subject access request processes, and ICO registration. Any AI tool processing tenant data on your behalf is a data processor under UK law, and you, as the agency, are the data controller.

Beyond the baseline, SOC 2 Type 1 is worth looking for. It's an independent audit of a company's controls for security, availability, and confidentiality, conducted by a third-party firm. It's standard in enterprise SaaS but still rare in proptech.

Ask where the data lives

Your tenant data should be encrypted at rest and in transit. That means it's protected whether it's sitting in a database or moving between systems. Ask which cloud provider your vendor uses, and whether they host in regions that comply with UK data sovereignty expectations.

Other questions worth asking:

• Do they run regular penetration testing? (This means hiring external security researchers to try to break in, then fixing what they find.)
• Is access controlled on a least-privilege basis? (Staff should only be able to see the data they need for their role, nothing more.)
• Do they require multi-factor authentication for internal access?
• Do they carry cybersecurity insurance?
• Do they have a business continuity plan if something goes down?

These aren't trick questions. Any serious vendor will answer them without hesitating.

Think about what AI actually sees

This is where it gets specific to AI tools. A traditional CRM stores your data. An AI tool processes it, reasons about it, and acts on it.

If you're using an AI assistant to handle tenant calls, triage maintenance, or manage viewings, that system is reading messages, making decisions, and generating responses using your tenants' personal data. So you need to understand:

• Is the data used to train the AI model? (It shouldn't be. Your tenant conversations should stay yours.)
• Are conversations logged, and who can access them?
• How long is data retained after a tenancy ends?
• What happens to data if you stop using the service?

Check the trust page, not just the sales page

The best indicator of how seriously a vendor takes security is whether they publish it openly. A dedicated trust or security page, ideally backed by an independent platform like Vanta, SOC 2, or a public security portal, tells you the vendor is confident enough to put their controls in the open.

Why this matters now

The Renters' Rights Act is increasing the operational load on agencies. More documentation, more communication, more compliance tracking. That means more data flowing through more systems, and more reason to make sure those systems are properly secured.

At the same time, AI adoption in property is accelerating. Agencies are bringing in tools to handle tenant communications, automate maintenance triage, and manage viewings at scale. The efficiency gains are real, but they come with a responsibility to make sure tenant data is handled properly.

The agencies that get this right won't just avoid problems. They'll build trust with landlords and tenants who increasingly want to know that their data is in safe hands.

How LightWork AI approaches security

LightWork AI is ISO 27001:2022 certified and SOC 2 Type 1 attested. We're GDPR compliant, ICO registered, and hold data processing agreements with every vendor in our supply chain.

If you're evaluating proptech vendors or AI tools right now, security is a reasonable bar, and we're happy to share where we stand. For the agencies we work with, it's one less thing to worry about when onboarding AI into their operations.

We publish our security posture openly at trust.lightwork.co.