InterVal — Property Valuation Solution
Security

Is Your Valuation Data Safe in the Cloud? A CTO's Guide to Security for Valuation Firms

Dustin Rawlins, Head of Technology & Security, InterVal8 min read
Is Your Valuation Data Safe in the Cloud? A CTO's Guide to Security for Valuation Firms

In short

Yes — valuation data can be safer in the cloud than on a laptop or in an inbox, provided the platform is built for it: encryption in transit and at rest, strict access control, reputable audited hosting, clear data residency, tested backups, an activity audit trail, and unambiguous data ownership. For most firms the real risk is not the cloud but the unmanaged spreadsheet-and-email workflow it replaces.

Whenever I talk to a valuation firm weighing up software, the same worry surfaces — usually not first, but always eventually, and always in a lower voice: "Is our data actually safe up there?" Behind it sits a real and reasonable fear. A valuation file is some of the most sensitive information a professional handles: client identities, property details, financials, lending decisions, opinions that move money. Handing that to "the cloud" can feel like handing your keys to a stranger.

I have spent my career on the other side of that fear. The technology firm I run builds business-intelligence and compliance software for multinational banks and mining companies — environments where a data breach is not an embarrassment but a regulatory event, and where security is designed in from the first line of code, not bolted on before launch. That is the lens I bring to security at InterVal, and it is the lens I want to hand you in this article: not a sales pitch, but a practical framework for judging whether any valuation platform — ours or anyone else's — is safe enough for your clients' data.

The question is not "cloud or not" — it is "managed or not"

The instinct to keep data "in-house, where I can see it" is understandable, but it rests on a misconception. For the overwhelming majority of valuation practices, the realistic alternative to a well-run cloud platform is not a hardened private server. It is a laptop, a handful of USB sticks, an email inbox, and a shared drive that nobody has audited in years.

Ask honestly where valuation data actually leaks today and the answer is rarely a breached data centre. It is a laptop left on a train. An unencrypted USB drive that goes missing. A report emailed to the wrong "John". A departing employee whose access to the shared folder was never revoked. A personal cloud-storage account used "just this once". The spreadsheet-and-email workflow most firms trust because it feels close and controllable is, in security terms, often the weakest link of all. (I made the broader operational case for moving on from it in valuation software vs. spreadsheets; the security case is just as strong.)

A professionally run cloud platform flips that picture. Your data sits in data centres with physical and digital security no individual firm could reproduce, protected by controls that work whether or not anyone remembered to switch them on. The right question, then, is not "cloud or not?" It is: "is this platform genuinely built and managed for security — and how do I check?"

What real cloud security looks like

Here are the seven things that actually determine whether a valuation platform protects your data. None of them are exotic; all of them are things a serious vendor should be able to explain to you in plain language.

Infographic of the seven pillars of valuation data security in the cloud: encryption in transit and at rest, access control and authentication, reputable audited hosting, data residency, backups and recovery, activity audit trail, and clear data ownership
Seven things that determine whether a valuation platform actually protects your data.

1. Encryption, in transit and at rest

Data moves (between your browser and the platform) and data rests (stored on disk). Both must be encrypted. "In transit" means every connection uses TLS, so nothing readable travels across the network. "At rest" means the stored data is encrypted on the servers, so a stolen disk is useless without the keys. This is table stakes — but ask the question explicitly, because "table stakes" is exactly the kind of thing that quietly gets skipped.

2. Access control and authentication

Who can open a file, and how do they prove they are who they claim to be? A secure platform enforces the principle of least privilege — people see only what their role requires — and supports strong authentication, ideally multi-factor. Just as important is revocation: when someone leaves, their access should end immediately and completely, not linger in a shared password nobody changes. This is precisely the control the spreadsheet-and-shared-drive world does worst.

3. Reputable, audited hosting

Almost no software company builds its own data centres; serious ones run on infrastructure from major cloud providers whose facilities carry independent security certifications such as ISO 27001 and SOC 2. That matters because it means the physical security, network hardening and operational controls beneath the platform have been audited by third parties, not merely asserted by the vendor. Ask a vendor where and on what their platform runs — a confident, specific answer is itself a good sign.

4. Data residency and sovereignty

Where, geographically, does your data live — and does that satisfy the rules you operate under? For firms subject to the UK GDPR, the EU GDPR, Singapore's PDPA or similar regimes, the physical and legal location of data is not a technicality; it can be a compliance requirement. A mature platform can tell you which jurisdiction hosts your data and how cross-border transfers are handled.

5. Backups, resilience and recovery

Security is not only about keeping bad actors out; it is about never losing your work. Ask two plain questions: if a server fails, how much data could I lose, and how quickly can I be working again? Good answers involve automated, regularly tested backups and redundancy, so a hardware failure or an accidental deletion is an inconvenience, not a catastrophe. A single laptop with an occasional manual backup offers none of this.

6. An activity audit trail

Every meaningful action — who opened, edited, exported or shared a file, and when — should be logged. In valuation this is doubly valuable: it is a security control and a compliance asset, the same audit trail the RICS Red Book expects you to be able to produce years later. (I would rather the record write itself as you work than be reconstructed after a challenge; that is the whole argument of our guide to Red Book compliance.) Security logging and professional defensibility turn out to be the same discipline.

7. Clear data ownership and a processor stance

Read the fine print on one point above all: you own your data. The vendor should act as a data processor on your behalf, never claim ownership of your files, let you export your data in a usable form whenever you want, and delete it on request. If a platform is evasive about who owns the data or how you get it back, treat that as a red flag regardless of how good the encryption is.

The questions to ask any valuation software vendor

You do not need to be a security engineer to hold a vendor to account. Take these questions into any demo and listen for clear, specific answers rather than reassuring adjectives:

  • Is my data encrypted both in transit and at rest?
  • Where is my data physically hosted, and on whose infrastructure?
  • What certifications does that hosting hold (for example ISO 27001, SOC 2)?
  • How do you control access, and do you support multi-factor authentication?
  • How and how quickly is access revoked when a team member leaves?
  • What is your backup and disaster-recovery process, and how often is it tested?
  • Which jurisdiction's data-protection rules apply, and where does my data reside?
  • Do I own my data, can I export it, and will you delete it on request?
  • Is there an audit log of who did what, and can I see it?

A vendor who welcomes these questions and answers them plainly is telling you something important about how they build. A vendor who deflects is telling you something too.

A property professional reviewing data security and access controls for confidential valuation files on a laptop in a modern office
You do not need to be a security expert to ask the right questions — you need to insist on clear answers.

How we think about security at InterVal

I will not use this article to make claims I would not want you to test, so let me be straightforward about our approach rather than dressing it up. InterVal is a cloud platform, and we build it with the same security mindset my team applies to compliance software for banks and mining firms — sectors where getting data protection wrong is not an option. Your clients' data is treated as exactly what it is: confidential, regulated information that belongs to you, not to us.

Concretely, that shapes the product in ways this whole article has described. A valuation lives as one structured assignment rather than scattering across laptops, inboxes and drives, so there are fewer places for it to leak. Access is controlled rather than shared. And the audit trail that makes a file defensible under the Red Book is the same record that tells you who touched what — security and compliance built from one foundation. You can see the kind of output that process produces in our sample reports, and how practitioners work with it day to day in our FAQ.

Most of all, I would rather you interrogate us than take my word for it. If your firm has specific security or data-protection requirements — a jurisdiction you must host in, a policy your clients impose, a question from your own compliance team — put them to us directly. The questions above are the ones I would ask in your position, and they are exactly the ones we are built to answer.

The bottom line

The fear that the cloud is inherently risky gets the picture almost exactly backwards. A well-built, well-managed cloud platform is, for nearly every valuation firm, a substantial upgrade to data security over the laptop-and-email reality it replaces — encrypted, access-controlled, backed up, logged and hosted on audited infrastructure, none of which depends on anyone remembering to do the right thing on a busy day. The risk was never "the cloud" in the abstract. It was the unmanaged workflow the cloud, done properly, leaves behind. Ask the hard questions, insist on clear answers, and choose the platform that treats your clients' data with the seriousness it deserves.

This article is provided for general information and reflects good-practice principles at the date of publication. It is not legal or compliance advice; data-protection obligations vary by jurisdiction, so always confirm your specific requirements under the rules that apply to your firm and refer to current guidance from the relevant authorities.

Frequently asked questions

Is it safe to store property valuation data in the cloud?
Yes, if the platform is built for it — and for most firms it is safer than the laptop-and-email alternative. Look for encryption in transit and at rest, strict access control, reputable audited hosting, tested backups and a full activity audit trail. Valuation data rarely leaks from a breached data centre; it leaks from lost laptops, misdirected emails and shared drives nobody audits.
What security features should property valuation software have?
Seven essentials: encryption both in transit (TLS) and at rest, access control on the principle of least privilege with multi-factor authentication and fast revocation, hosting on reputable infrastructure with independent certifications (such as ISO 27001 or SOC 2), clear data residency, automated and regularly tested backups, an activity audit trail of who did what and when, and an unambiguous stance that you own your data.
Is cloud valuation software GDPR compliant?
Compliance depends on how a platform is configured and used, not on a label a vendor prints. What matters is where your data physically resides, whether there is a proper data-processing agreement with the vendor acting as processor, and whether you retain your rights to export and erasure. Ask which jurisdiction's rules apply (UK GDPR, EU GDPR, Singapore's PDPA and so on) and where your data is hosted.
Who owns my data in a cloud valuation platform?
You do. A reputable vendor acts only as a data processor on your behalf, never claims ownership of your files, lets you export your data in a usable form whenever you want, and deletes it on request. If a platform is evasive about data ownership or how you get your data back, treat that as a red flag regardless of how strong its encryption is.
What happens to my valuations if the cloud provider has an outage?
On a well-built platform, automated and regularly tested backups plus redundancy mean a hardware failure or accidental deletion is an inconvenience, not a loss. Ask any vendor two plain questions: how much data could I lose if a server fails, and how quickly could I be working again? A single laptop with occasional manual backups offers none of that protection.

Read more blog

How to Choose Property Valuation Software: A Practical Buyer's Guide

How to Choose Property Valuation Software: A Practical Buyer's Guide

A practitioner's honest guide to choosing property valuation software: the eight criteria that actually matter — compliance built in, end-to-end workflow, methods, audit trail, collaboration — the red flags to avoid, and the cases where software isn't the answer at all.

Subscribe to our
Newsletter

Subscribe to our newsletter to receive exclusive offers, latest news and updates.

Illustration — subscribe to the InterVal newsletter

Less than one hour to obtain a fully standard Compliant Valuation.

Or