Security & Compliance

Your data. Your applicants. Secure.

Q: Is Locari GDPR-compliant?

Yes. Locari follows Article 22 of the General Data Protection Regulation (no fully automated individual decisions about people) and the three-phase model of the German data protection conference from 2024 for applicant data. Letting decisions rest solely with the landlord. The architecture enforces this, not just the terms.

Compliant with Article 22 of the General Data Protection Regulation (GDPR Art. 22). EU hosting, EU LLM, end-to-end encrypted. ISO 27001 and SOC 2 on the roadmap.

Start your first listing How we protect data ↓

Eight pillars

How we build security in practice.

Compliance is the legal foundation. Tech is the implementation. The two have to fit together.

Compliance

GDPR Art. 22

No fully automated individual decisions about people. Letting decisions rest solely with you.

2024 DSK three-phase model

Following the three-phase model of the German data protection conference (DSK) from 2024: applicant data is processed in three clearly separated phases. Proof of income only after the viewing, ID copy only before the contract.

EU hosting

Servers in the EU, German region as the default. No data export to third countries without an adequacy decision.

Anti-profiling architecture

No AI scores, no ranking, no personality assessment. Rule-based hard-facts checks against your criteria.

Tech

End-to-end encryption

All applicant communication and every transferred document is encrypted. TLS 1.3 in transit, AES-256 at rest.

EU LLM for applicant data

An EU language model (Mistral, Paris) processes the sensitive applicant data: applicant chatbot, document extraction, classification. No training on your data.

DB-constraint compliance

A single criteria helper in the backend. Database constraints prevent automated score fields from being set at all.

Brand continuity

Applicants see you as the landlord, not “Locari” as a third party. No mention of the platform in the applicant process, no data passed on to marketing.

Self-commitment + roadmap

We commit to the highest standards.

What the law requires, we meet today. What gets certified comes with scale — communicated honestly, not staged as a marketing seal.

External certifications follow with scale. Until then: self-commitment documented, code architecture auditable, data-protection practice open in detail.

GDPRCompliant

Legally required. Active today.

EU hostingActive

EU region as the default. Active today.

ISO 27001Roadmap 2027

Certification in preparation, once scale supports it.

SOC 2 Type IIRoadmap 2027

Audit groundwork under way. Realistic after ISO 27001.

Data flows

Who has access, and when.

Four paths, each documented. No hidden processors — the full list is in the Trust Center; US services are secured via EU standard contractual clauses.

From	To	Safeguard
Applicant	Locari (WhatsApp / email)	TLS 1.3 encrypted
Locari	Landlord (WhatsApp)	TLS 1.3 encrypted
Locari	ImmoScout24 · Kleinanzeigen	OAuth authentication
Locari backend	EU hosting · Mistral LLM	EU region · EU language model

No SCHUFA API and no automatic guarantor verification: the applicant brings their own credit report, Locari stores and displays it — without rating it.

Common security questions

What landlords ask most often.

Where are my data and my applicants’ data stored?

Sensitive applicant data is stored in the EU (German region as the default, EU-certified data centres) and processed by an EU language model (Mistral). A few services — app hosting/CDN (Vercel), the landlord assistant (Anthropic) and analytics (PostHog) — are located in the US and are secured via EU standard contractual clauses (SCC).

Is Locari GDPR-compliant?

Yes. Locari follows GDPR Art. 22 (no fully automated individual decisions about people) and the 2024 DSK three-phase model for applicant data. Letting decisions rest solely with the landlord. The architecture enforces this, not just the terms.

Which LLM does Locari use?

The sensitive applicant data — applicant chatbot, document extraction, classification — is processed by Mistral, hosted in the EU. The landlord assistant (e.g. viewing briefings) additionally uses Claude (Anthropic) via the Vercel AI Gateway; applicant data only feeds in there indirectly. No training on applicant data. The full list of services is in the Trust Center.

How is deletion of applicant data handled?

Automatically after the letting ends. Applicants who weren’t chosen are deleted in line with DSK 2024, at the latest once the selection process is complete. Chosen applicants’ data moves into the tenancy context and follows the retention periods that apply there.

Anti-profiling — what does that mean technically?

No ML scores, no personality assessment, no ranking. Locari checks your self-defined hard facts on a rule basis (number of people, income multiple, pets). A database constraint in the backend prevents automated score fields from ever being set. More on the anti-profiling architecture.

What sets Locari apart from US providers?

A largely EU stack: EU hosting, EU database region, EU operations team and an EU language model (Mistral) for directly processing sensitive applicant data. A few services — such as Vercel and Anthropic for the landlord assistant as well as WhatsApp — are located in the US and are secured via EU standard contractual clauses (SCC). You’ll find the full list of processors in the Trust Center.

Get started

Security isn’t an add-on. It’s the foundation.

At Locari, GDPR, EU hosting and anti-profiling are anchored in the code — not hidden in the terms.

Start your first listing Anti-profiling in detail

From

Safeguard

Applicant

Locari (WhatsApp / email)

TLS 1.3 encrypted

Locari

Landlord (WhatsApp)

TLS 1.3 encrypted

Locari

ImmoScout24 · Kleinanzeigen

OAuth authentication

Locari backend

EU hosting · Mistral LLM

EU region · EU language model