Built for the regulatory reality of mortgage.
LO Radar handles the most sensitive asset in your business: your past-client book. Here's how we treat it.
Compliance posture, by statute.
Gramm-Leach-Bliley Act
All past-client information is treated as non-public personal information. Encryption at rest (AES-256), encryption in transit (TLS 1.2+), least-privilege internal access with SSO + mandatory 2FA, access logging per record. We will not collect Social Security Numbers, government IDs, credit reports, or bank account numbers — and we reject imports that contain them.
Real Estate Settlement Procedures Act
LO Radar is software. We do not provide settlement services. We do not accept referrals for fees. We do not act as a kickback conduit between LOs and other settlement providers. Per-deal pricing on the Performance tier is consideration for software usage, not a referral fee.
Truth in Lending Act
Every rate or APR figure LO Radar surfaces carries the calculation basis and the data date so you can verify before quoting. Draft outreach messages reference rate scenarios, not loan estimates, and clearly indicate that any quote will follow a formal Loan Estimate process.
Telephone Consumer Protection Act
LO Radar does not send messages, voice calls, or SMS on your behalf. We draft; you send from your own systems. This keeps TCPA consent obligations cleanly under your existing contact-consent framework. We surface compliance flags on every draft so you can confirm consent status before reaching out.
Fair Credit Reporting Act
LO Radar does not pull credit reports and is not a consumer reporting agency. Credit-improvement flags are derived from soft-pull aggregations or borrower-volunteered data — never from a hard pull through LO Radar. Any decision to refinance is contingent on the LO's own permissible-purpose credit pull through their existing originator workflow.
Homebuyers Privacy Protection Act
Effective March 4, 2026. Third parties may no longer purchase consumer mortgage inquiry data from credit bureaus. LO Radar is structurally aligned: we operate on past-client data you already legally possess as the originating LO. We do not purchase, broker, or aggregate any third-party trigger-lead data.
Four things that shape every product decision.
1. We draft. You send.
LO Radar generates outreach drafts but never sends messages on your behalf. You send from your own email, CRM, or phone. This is intentional and architectural — it keeps TCPA, CAN-SPAM, and state-equivalent consent law obligations cleanly under your existing framework, and it preserves your record as the consenting sender.
2. Your book is your book.
We are a processor; you are the controller. We do not aggregate, anonymize-and-sell, or repurpose your past-client data. We do not enrich a shared dataset. We do not market to your past clients on our own behalf. We will not — under any circumstance — sell or share your borrower data with a third party.
3. Audit every access.
Every read and write to your past-client data is logged with timestamp, actor, and operation. You can request your access log at any time by emailing hello@techstackllc.info. Internal engineering access is gated by SSO with mandatory 2FA and is least-privilege by default — only the engineers operating the underlying systems can reach production data, and we log every time.
4. Reject the data we don't need.
LO Radar does not need Social Security Numbers, credit reports, government IDs, or bank account numbers to do its job. We don't ask for them, and our CSV importer actively rejects rows that contain them. The less of that data we hold, the smaller the blast radius if anything ever goes wrong.
How the system is built.
- Encryption at rest
- AES-256 on production database and all backup snapshots.
- Encryption in transit
- TLS 1.2+ enforced on every endpoint. HSTS with one-year max-age.
- Data residency
- United States only. Hosting on Hostinger (US), database on Supabase (US AWS).
- Authentication
- Email + password with optional SSO/SAML (Enterprise tier). 2FA available.
- Backups
- Daily encrypted snapshots, 30-day retention, separate AWS region.
- Vendor DPAs
- Data Processing Agreements with Hostinger, Supabase, Stripe, Resend.
- Access log
- Per-account, timestamped, includes engineering accesses. Available on request.
- Account deletion
- 30-day export window. Production deletion within 7 days. Backup expiry within 60 days.
- Application-layer logging
- No PII in error logs. No past-client data in any third-party analytics or tracing pipeline.
- No advertising pixels
- Zero advertising or behavioral tracking inside the signed-in LO Radar application.
Questions we get from compliance officers.
01 Is past-client data encrypted at rest?
Is past-client data encrypted at rest?
Yes. All past-client data is encrypted at rest with AES-256. The database is a managed Postgres instance (Supabase) on AWS infrastructure in the United States. Database backups are encrypted, retained for 30 days, and stored in a separate AWS region.
02 Does LO Radar send messages to my past clients on my behalf?
Does LO Radar send messages to my past clients on my behalf?
No. This is a first principle of LO Radar. We generate drafts; you send them from your own email, CRM, or phone. This preserves your existing TCPA contact-consent record, keeps you legally clean as the sender, and prevents the appearance of a third-party broker under RESPA Section 8.
03 Is LO Radar SOC 2 compliant?
Is LO Radar SOC 2 compliant?
We follow SOC 2 Type II control objectives in our internal practices (access logging, least-privilege internal access, encryption, change management, vendor DPAs), but we have not yet completed a formal third-party SOC 2 audit. For enterprise / branch deployments where a SOC 2 letter is a procurement requirement, talk to us — we can prioritize the audit if it unblocks a deployment.
04 How does LO Radar handle the Homebuyers Privacy Protection Act (HPPA)?
How does LO Radar handle the Homebuyers Privacy Protection Act (HPPA)?
LO Radar operates on past-client data that you, as the originating loan officer, already legally possess. We do not purchase, broker, or aggregate trigger-lead data from credit bureaus or any third party — which is exactly the activity HPPA restricted as of March 4, 2026. Past-client intelligence is, in fact, the regulatorily clean alternative to the third-party trigger-lead market that HPPA closed.
05 What is your data residency?
What is your data residency?
All production data is stored in the United States. Specifically: application hosting on Hostinger (US data center), primary database on Supabase (US, AWS), email delivery via Resend (US). No data leaves the United States in the normal course of operations.
Compliance officer not satisfied? Email hello@techstackllc.info with the specific control you need addressed and we'll respond with documentation within one business day.