Information Security Policy

Last updated: February 25, 2026

Last updated: 25 February 2026

This Information Security Policy describes the measures Letted Ltd ("Letted", "we", "us", or "our") takes to protect the confidentiality, integrity, and availability of data held on the Letted platform.

1. Purpose

We build software that landlords trust with their property and tenant data. This policy sets out the security standards we hold ourselves to, covering infrastructure, application security, access controls, and how we respond when things go wrong.

2. Infrastructure and Hosting

  • The platform is hosted on reputable cloud infrastructure providers with established security certifications.
  • Data is encrypted in transit using TLS and at rest where appropriate.
  • Production environments are logically separated from development and staging.

3. Access Controls

  • Access to production systems is restricted to authorised personnel only.
  • We use multi-factor authentication for all critical systems.
  • Access rights are reviewed regularly and revoked promptly when no longer needed.
  • We follow the principle of least privilege. Team members only have access to the data and systems they need for their role.

4. Application Security

  • We follow secure development practices, including code review before changes are deployed.
  • Dependencies are monitored for known vulnerabilities.
  • User input is validated and sanitised to protect against common attack vectors such as injection and cross-site scripting.
  • Authentication tokens and secrets are stored securely and never committed to source code.

5. Data Backups

  • We maintain regular automated backups of all platform data.
  • Backups are encrypted and stored separately from production systems.
  • We periodically test backup restoration to make sure recovery works as expected.

6. Monitoring and Logging

  • We monitor systems for unusual activity, errors, and performance issues.
  • Logs are retained for a reasonable period to support security investigations and operational troubleshooting.
  • Alerting is in place for critical events.

7. Vulnerability Management

  • We keep software, frameworks, and operating systems up to date with security patches.
  • Where a vulnerability is identified that affects the platform, we assess and address it promptly based on severity.

8. Endpoint Security

  • Devices used by staff to access production systems are protected with encryption, screen locks, and up-to-date software.
  • We do not store customer data on local devices.

9. Incident Response

If a security incident occurs, we follow our Incident Management Policy. This includes containment, investigation, notification where required, and a post-incident review to prevent recurrence.

10. Staff Awareness

All team members are expected to understand their security responsibilities. We discuss security practices as part of onboarding and on an ongoing basis as the team and platform evolve.

11. Review

This policy is reviewed at least once a year or following any significant security incident.

12. Contact

If you have questions about our security practices, contact:

Letted Ltd 22 St. Albans Road Bristol, England, BS6 7SJ Email: support@letted.com

Ready to get started?

We streamline everything
so you don't get fined

Add your first property in minutes.

Start free for 30 daysBook a quick walkthrough
Free plan, forever
No percentage fees
Cancel anytime