How We Keep Your Data Safe

Last updated: April 2026

RentManager NZ is built by a New Zealand landlord, for New Zealand landlords and property managers. Your property data, tenant details, and financial information deserve the same protection as your bank account. Here is how we look after it.

🇳🇿

Your data stays in New Zealand

Everything is stored on servers in Auckland. Your tenant information and financial records never leave the country.

🔒

We cannot see your password

Your password is scrambled before it is stored. Nobody at RentManager can read it - not even us.

👁

Nobody else can see your properties

Your data is completely separated from every other landlord's data. This is enforced by the database itself, not just our code.

🏦

We cannot touch your bank account

Bank sync is read-only - we can see transactions come in, but we cannot move money, make payments, or change anything.

📦

Daily backups

Your data is backed up every day and stored in a separate location within New Zealand. We keep 7 days of backups.

📨

We will tell you if something goes wrong

If there is ever a data breach, we will email you within 72 hours and report it to the NZ Privacy Commissioner.

Bank connection

You can import bank transactions via CSV upload from your bank. Live bank sync via NZ Open Banking (Consumer Data Right) is coming soon.

We only see your transactions - we cannot make payments or transfers.
When live sync is available, your bank credentials are never shared with us - you authorise access directly with your bank.
You can disconnect at any time from Settings.

Credit report data

If a prospective tenant uses our Apply portal to obtain a credit report, their data receives additional protections:

Credit checks only happen with explicit tenant consent - recorded with full audit trail.
Reports are stored encrypted at rest in AWS Auckland (AES-256).
Report contents are never sent by email - viewing is on-screen only via secure, time-limited links.
The tenant controls sharing - no landlord can see the report without the tenant's permission.
Reports expire after 30 days and sharing links become inactive.
We comply with the Credit Reporting Privacy Code 2020.

Your account security

Strong passwords: We require at least 12 characters. Your password is stored scrambled - we can never see it.
Two-factor authentication: You can add an extra layer of security using an authenticator app on your phone.
Lockout protection: After 5 wrong password attempts, the account is locked for 15 minutes to stop guessing attacks.
Automatic sign-out: If you have not used your account for 7 days, you will need to sign in again.
Google sign-in: Optionally sign in with your Google account instead of a password.

NZ compliance

We follow the Privacy Act 2020 and align our practices with the NZ Information Security Manual. All 13 Information Privacy Principles are addressed — see our Privacy Policy for the full mapping.

Technical details

For technically minded readers, here is more detail on how we implement the protections described above.

Encryption

In transit: TLS 1.2+. HTTP automatically redirected to HTTPS.
At rest: AES-256 on database volumes. S3 server-side encryption (SSE-S3) for documents.
Tokens: Bank OAuth tokens encrypted with AES-256-GCM, keys stored separately from the database.
Documents: Every uploaded file is hashed (SHA-256) for integrity verification.

Data isolation (Row-Level Security)

Every database query is scoped to your account using PostgreSQL Row-Level Security (RLS). This is a database-enforced boundary - even if an application bug occurs, it cannot expose another landlord's data. Each request sets the owner context before any query executes, and the database rejects any attempt to access rows belonging to a different account.

Application security

CSRF protection via double-submit cookie tokens.
Strict Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers.
Server-side input validation. File uploads are size-limited and content-type verified.
Server-rendered - no API keys, tokens, or secrets are ever sent to the browser.

Infrastructure

AWS ap-southeast-6 (Auckland). Dedicated compute, not shared hosting.
PostgreSQL 17 on encrypted EBS volumes with automated daily backups.
Database servers are not publicly accessible - internal network only.
Passwords hashed with bcrypt. Complexity requirements aligned with NIST SP 800-63B.
Geographic restrictions: Access is limited to a curated list of countries where our users live and travel. Requests from outside these regions are blocked at the application level to reduce attack surface.

Compliance frameworks

Framework	Status
NZ Privacy Act 2020	Compliant - all 13 IPPs addressed
NZISM	Aligned - encryption, access control, logging
NIST SP 800-63B	Aligned - password policy, MFA, sessions
NZ data sovereignty	Enforced - AWS Auckland only
Credit Reporting Privacy Code 2020	Compliant - tenant-initiated checks, explicit consent, encrypted storage
PCI DSS	Delegated to Stripe - we never handle card data

Found a vulnerability?

If you discover a security issue, please let us know at . We will respond within 48 hours and will not take legal action against anyone who reports issues in good faith.