Connecting AI to your AppFolio Property Manager and Google Workspace means giving a system access to lease data, financial records, tenant information, and internal communications. Before we write a single line of code, we need to understand what data we're touching, what regulations apply, and what controls must be in place.
This brief identifies the full compliance landscape for Team CORE's AI deployment. It maps every regulation that applies to your operations, classifies every data type by sensitivity, and defines the security controls that will be embedded into every agent we build — not bolted on afterward.
The goal is simple: zero surprises. Your team, your clients, and your data are protected from day one.
Eight regulations and platform policies govern how Team CORE can deploy AI agents. Each one has been assessed for applicability, priority, and specific requirements.
| Regulation / Policy | Requirements | Priority | Team CORE Application |
|---|---|---|---|
| Anthropic Claude API / AWS Bedrock |
Zero Data Retention (ZDR) mode available and must be enabled. Data sent to Claude API is not stored or used for training. AWS Bedrock provides additional data isolation layer. BAA available if needed. | Critical | Foundation of all AI processing. ZDR ensures no tenant, financial, or lease data is ever retained by the AI model. |
| AppFolio Terms of Service / API Usage Policy | Must comply with AppFolio's acceptable use of their Database API. Data accessed via API subject to AppFolio's data handling requirements. Rate limits, access controls, and audit requirements per AppFolio's terms. | Critical | Primary data source for leases, tenants, properties, financials, and work orders. API tier determines read vs. read/write access. |
| Michigan Identity Theft Protection Act MCL 445.61-445.77 |
Requires safeguarding personal identifying information. Breach notification within 30 days. Written security policy required. | High | Applies to tenant PII, employee data, and any investor data encountered. AI agents must never expose or store PII outside controlled systems. |
| Fair Housing Act | AI must not discriminate in tenant screening, communications, or lease decisions. No algorithmic bias in any tenant-facing AI output. | High | Any AI-generated tenant communications, renewal letters, or lease analysis must be reviewed for discriminatory language or bias. |
| Google Workspace Data Processing Agreement | Google's DPA governs how data in Google Drive and Gmail is accessed programmatically. AI agent must use OAuth 2.0 with minimum necessary scopes. Must comply with Google API Services User Data Policy. | High | AI agents accessing Google Drive documents, calendar, or email must request only the scopes needed and maintain audit trail of all access. |
| GLBA Gramm-Leach-Bliley Act |
If Team CORE handles financial data for clients, GLBA safeguards may apply. Requires written information security program. | Medium | Applies if financial data is shared with or from banking/institutional clients. Investment analysis reports and rent roll data may fall under this. |
| CAN-SPAM Act | AI-generated marketing emails must comply with federal email marketing law. Opt-out mechanism required. Physical address in email. No deceptive subject lines. | Medium | Applies to marketing drip campaigns and client outreach generated by AI. Sam's marketing workflows must include compliant footers and opt-out links. |
| SOC 2 Type II Best Practice |
Not legally required but increasingly expected by institutional clients. Demonstrates security controls, availability, and confidentiality. | Medium | Applies to AI infrastructure hosted on AWS. Institutional clients (Rehmann, etc.) may ask about SOC 2 compliance during due diligence. |
Every data type Team CORE handles has been classified by sensitivity level, AI access permission, and required controls. This classification drives every architecture decision.
| Data Type | Examples | Sensitivity | AI Access | Controls Required |
|---|---|---|---|---|
| Lease Data | Terms, rent amounts, expiration dates, renewal options, TI allowances | Medium | Yes — Core Function | Encryption, access control, audit trail |
| Tenant Business Info | Company name, suite, contact person, lease terms | Medium | Yes — Required | Encryption, role-based access |
| Tenant PII | SSN, EIN, personal addresses (if stored in AppFolio) | High | Limited — Redact | Sanitization before AI processing, encryption, access control |
| Financial Data (Property) | P&L statements, budgets, rent rolls, AR/AP | Medium-High | Yes — Budgeting | Encryption, role-based access, audit trail |
| Investor Data | Tax IDs, SSNs, bank accounts, distribution records | Critical | NO — Isolated | No AI connection. AppFolio Investment Manager stays completely separate. |
| Work Orders | Maintenance requests, vendor info, property issues | Low-Medium | Yes — Maintenance | Basic access control |
| Employee Data | Payroll, personal info, performance records | High | NO — Not in Scope | Not connected to AI pipeline |
| Market Data (CoStar) | Comps, market trends, property research data | Low | Future Phase | Third-party ToS compliance, read-only access |
| Communications | Emails, chat messages, calendar events | Medium | Limited — Consent | OAuth scopes, user consent, audit trail |
Six security controls will be embedded into every AI agent built for Team CORE. Each one addresses a specific compliance requirement identified in the regulatory landscape above.
At rest: AES-256 via AWS KMS with customer-managed keys. All stored outputs, logs, and cached data encrypted.
In transit: TLS 1.2+ for all API calls — AppFolio, Google Workspace, and AWS Bedrock.
Google Drive: Already encrypted by Google; our agent adds an additional access control layer.
Two-factor authentication required for all AI access (matching Team CORE's existing Google Auth + SMS setup).
Role-based access: Admin (Matt/Kevin) — full config + all data. Manager (Amanda/Zach) — property management. Broker (Phil/Sam) — transactions/leases. Maintenance — work orders only.
OAuth 2.0 for Google Workspace; API key management for AppFolio Database API.
All AI processing via AWS Bedrock with Claude (ZDR enabled). No data stored by the AI model. No data used for model training.
Prompts and responses are ephemeral — not persisted outside our controlled environment. When the request completes, the data is gone.
Tenant SSNs and EINs redacted before AI processing (if encountered in AppFolio data).
Investor data never enters the AI pipeline. Investment Manager data is completely isolated.
Financial amounts preserved (needed for analysis) but access-controlled per role. Email addresses and phone numbers handled per role permissions.
Every AI action logged: who requested, what data was accessed, what output was generated, timestamp.
Logs stored encrypted, retained for minimum 3 years. Available for review by leadership at any time.
All AI-generated external communications (renewal letters, tenant notices, marketing emails) held for human review before sending.
AI generates draft → team member reviews → approves or edits → then sends. No autonomous external communication without human approval.