Information Security Solutions

We offer the Cartus Privacy Promise as our commitment to keeping your information safe and secure via our people, processes, and technology. Our information security initiatives derive from an integrated strategy developed, implemented, updated, and controlled by our own staff.

Increased security through verification and controls

The effectiveness of our approach has been validated by numerous client reviews (which includes many of the largest companies in the world—including more than 50 percent of the Fortune 50) as well as by external audits such as SOC 2 Type 2 security compliance, and SSAE 16 (formerly SAS 70) and ISAE 3402 compliance. Cartus was also one of the first organizations to register for the EU-U.S. Privacy Shield Framework—a program developed by the United States Department of Commerce and the European Commission to safeguard the personal data of EU citizens.

Regarding the impending EU General Data Protection Regulation (GDPR), which will replace the 1995 Data Protection Directive on May 25, 2018, Cartus is already working on a number of areas in our role as a processor for our clients to aid their readiness for GDPR compliance. Please see our GDPR blog post for more information.

Personal Security

  • Policy and process is part of the culture
  • 100% of Cartus employees are trained annually on business ethics, privacy/security, and anti-corruption/bribery
  • Background and criminal checks mandatory
  • Additional screening can be completed as required

Managing Access

  • Employ Principle of Least Privilege
  • Separation of functions so no manipulation of systems
  • All access is profile based
  • All access requires manager approval
  • All access reviewed by controller for separation of duties
  • Privileged access reviewed quarterly

Securing Infrastructure

  • Defense in depth strategy
  • Firewall, IP5, DMZ
  • Server and endpoint security
  • Authenticated Web browsing
  • Encryption of data at rest and in transmission
  • Incident monitoring and response
  • Mature Vulnerability Assessment Program
  • Realogy security operations center
  • Splunk and QRadar

Continuing Operations

  • Encrypted backups done almost in real-time to DR facility
  • One hour RPO
  • SunGard disaster recovery facility
  • Annual disaster recovery testing
  • Annual client-ready report
  • Ten years of recovery testing
  • Business Continuity Testing


  • Ethical Hacking
  • Penetration Testing
  • Phishing Training
  • Privacy Shield Certified (EU and Swiss)
  • SOC1 Type-2 (SSAE16)
  • SOC2 Type-2
  • GDPR Preparation
  • ISAE 3402
  • Cyber Essentials (UK)
  • Client audits and assessments - more than 200 per year
  • Formal vulnerability management program