Built for landlords nationwide · now serving properties in TX, FL & GA · join the waitlist
Keystone

Compliance & trust

Moving money is a responsibility. We treat it like one.

Keystone is the technology and the experience. The regulated parts ride on licensed partners — and every action a user takes is captured as a timestamped, immutable record.

The model

We build the product. Licensed specialists hold the license.

Payments

Banking partner

A licensed banking/payments partner holds and moves the funds. Keystone is a technology provider, not a bank, and never takes custody of your rent.

Credit

Bureau partner

When a tenant opts in, on-time rent is reported through a partner bureau that is the furnisher of record under the FCRA.

Payments & ACH authorization

NACHA & Reg E, captured up front.

Recurring (autopay) and one-time debits require the tenant’s explicit authorization. Before any debit, we show the exact mandate — amount, schedule, and how to revoke — and store the verbatim text, timestamp, and IP as a permanent record. Autopay is revocable at any time, and a Regulation E error-resolution notice and EFT disclosure are always reachable in the app.

Instant payouts settle through real-time rails (RTP / FedNow) where available; otherwise next-rail ACH. Your rent goes to your bank — it never sits in a Keystone-held balance.

Credit reporting

Opt-in only. Off by default.

Rent reporting is disabled until a tenant turns it on. The moment they do, we record the consent and the disclosure version they saw. Reporting is furnished by our partner bureau — the FCRA furnisher of record — and tenants raise disputes through the partner’s portal; no dispute investigation runs on Keystone.

A tenant can turn reporting off at any time, and that change is itself a recorded event.

E-signature

ESIGN & UETA, owned by the platform.

Leases and disclosures are signed electronically under the federal ESIGN Act and state UETA. Keystone sends the signing request and the notifications, with the signing session and audit trail handled through our e-signature engine. Signers consent to electronic records before signing, and a complete, tamper-evident certificate is retained with the document.

Data & security

  • 01

    Tenant isolation, enforced in the database

    Every record is scoped to its organization with PostgreSQL Row-Level Security — isolation is enforced at the data layer, not just in application code.

  • 02

    Encryption & secrets

    Sensitive fields are encrypted at rest; transport is TLS end-to-end; credentials live in a managed secret store, never in source.

  • 03

    An immutable record of every consent

    FCRA, ACH, and e-sign consents are written to an append-only ledger — they can never be altered or deleted, only added to. The lawsuit-shield is a database guarantee.

  • 04

    Least-privilege access

    Role-based permissions on every action, with an audit trail. Webhooks from partners are signature-verified before they touch your data.

This page is a plain-English summary, not legal advice, and not a contract. The binding terms live in our Terms, Privacy Policy, and the in-app consent disclosures. Availability and specifics vary by state (currently TX, FL, GA).

Built to be trusted.

Get startedSecurity or compliance question? →