Protecting Your Leasing Data

Enterprise Security in a SaaS Environment

Hightower is a leasing management platform that brings all constituents of the leasing process together to collaborate in one place. Leasing teams, asset managers, and portfolio managers now have one platform to work in real-time.

This whitepaper explains the various information security measures that protect your critical portfolio data:

  • A flexible permission and access model that allows customers to precisely control the information available to each user.
  • Robust account protections that ensure only authorized users have access to the platform.
  • Technological and managerial safeguards that Hightower has deployed to further protect your data.

We know that data is mission critical to the success of your leasing business, so the Hightower platform is designed to make that data simultaneously accessible and secure.

Rich permissions model

Administrators control access to their portfolio information via the Hightower administration interface, which allows them to add and remove users, and set individual user permissions and access rights on a per-asset basis.

Permissions levels

Admins set one of four different permission levels for each user on a given asset:

Level Access Invite Others Administer Asset
Read-Only Read-Only No No
Read-Write Read-Write No No
Read-Write & Invite Read-Write Yes No
Administrator Read-Write Yes Yes

Access rights

Admins also set the scope of user's access to asset data:


The user may see and report on new and “in-house” deals – i.e., relocation, renewal, expansion, and contraction deals.


The user may access tenant “rent roll” information. This includes financial and non-financial terms, occupied spaces, and other insights.


The user may access budget information on the designated asset for reference and side-by-side deal financial analysis.

File sharing controls

Users can enable or disable sharing for each file associated with an asset or space, allowing fine-grained control of confidential information.

In addition to the framework above, Hightower also maintains a full change log of every change made in the application to provide full visibility into user activity.

Account protection

Hightower implements a variety of security features to protect against unauthorized access to your account:

Two-factor protection

Two-factor is an additional level of security that protects your Hightower account during login. The first level of security is your password, the second is a token generated by an authenticator app on your phone.

Single-sign on

Hightower supports single sign-on (SSO) via the SAML 2.0 open standard. This streamlines user provisioning and deprovisioning, and allows customers to access Hightower with their corporate login credentials.

Account activity alerts

Users are notified of account activity by email when any security-sensitive events occur, such as password changes or account lock-outs.

Session management

Users can monitor and control active login sessions from any web browser. If a mobile computing device is lost, active sessions can be immediately terminated to prevent unauthorized access.

Domain whitelisting

Administrators can restrict user invitations to a whitelist of approved email domains (e.g., This feature prevents accidentally adding Bob Smith at Company A, when you really meant Bob Smith at Company B.

Touch ID

Hightower supports Touch ID on iPhone 5+ to provide biometric protection of login credentials.

Security safeguards

Hightower utilizes a range of advanced technological and managerial safeguards to protect your data:

End-to-end encryption

Hightower uses the Secure Sockets Layer (SSL/TLS) to encrypt data in transit. We use strong ciphers and enable perfect forward secrecy on supported clients. Authentication cookies are flagged as secure, and we have set a HTTP Strict Transport Security (HSTS) policy on all HTTPS endpoints. We encrypt all data at rest using 256-bit Advanced Encryption Standard (AES).

Robust cloud infrastructure

Hightower is built using Amazon Web Services (AWS), a proven, secure, and scalable cloud infrastructure platform, certified to SSAE16/SOC1, SOC2, ISO9001 and PCI DSS1 standards.

Third-party security assessments

A specialist independent security firm performs regular and comprehensive audits of Hightower’s application security.

Audit capabilities

All application and administrative activity is logged, with attribution to end user, timestamp, and IP address.

Employee background checks

New hires undergo a stringent set of educational, professional and criminal background checks to ensure they meet the required educational and competency levels.

Security awareness training

Employees undergo a comprehensive security education program during onboarding and annually, with specialist OWASP training for engineering staff.

Operational controls

Hightower’s dedicated Security Team has implemented a comprehensive information security program aligned with the Cloud Controls Matrix v3.


The Hightower platform has been designed to help commercial landlords and brokers collaborate effectively and in real-time, while providing security and peace of mind.

If your organization requires a more detailed presentation of Hightower’s security program, please contact your account executive.

Have any more questions about security?

Ask our team