Reference appendix · backs the data-security layer of the model

The Document Sensitivity Matrix.

Every document in a residential transaction, scored on how exposed it is and how much damage its leak would do. This is the map of where Mantle must be careful - and where the agent's email inbox is already the weakest link in the chain.

23
documents tracked across bid → closing
3
Tier 3 - private, fraud-enabling (SSN, tax returns, the Note)
5
wire-fraud / BEC targets
2
run custody through agent/buyer email
8
trigger NY/CT breach duties (GLBA / SHIELD)

Risk concentration

The danger clusters in one corner.

All 23 documents placed by how hard they are to obtain (access) and how much harm a leak does (exploitability). The number in each cell is how many documents sit there. Everything dangerous lives in the top-right, and it is a small, nameable set.

Documents plotted by access and exploitability; risk concentrates top-right EXPLOITABILITY ↑ 3 · high 2 · moderate 1 · low 9TIER 1 1TIER 2 0 1TIER 2 5TIER 2 4TIER 2 WIRE 0 0 3TIER 3 1 · public 2 · restricted 3 · private ACCESS →
Access rises left to right, exploitability bottom to top. The nine low-risk documents (bottom-left) are public property records. The wire-fraud cluster (four documents, top-middle) and the three Tier-3 documents (top-right: Form 1003, underwriting file, the Note) are where custody has to be hardened.

The matrix

Scored by access × exploitability, with five overlay risk factors.

Composite tier drives the row color. Access = how hard the document is to obtain (1 public → 3 private). Exploit = how much harm its exposure causes (1 none → 3 fraud-enabling). The overlay columns capture what a single tier number misses - whether harm is reversible, how long the document stays dangerous, who holds it, and whether a leak triggers a statutory breach notice.

Tier 1 - low / public Tier 2 - restricted Tier 3 - private / fraud-enabling wire-fraud target email custody
Filter

Click a column header to sort. Click a heatmap cell above to filter by tier.

Document Acc Exp Aggregation Reversibility Time-decay Custody NY/CT reg
Phase 1: Bid
T1Purchase Offer / Agreement (draft) email custodySubmit Offer11LowReversibleLongAgent/Buyer emailNo
Becomes public record once recorded; terms not identity-sensitive
T2Pre-Approval LetterSubmit Offer22MediumReversibleShortBuyer/LenderNo
Lender name + approved amount; not in public DB but not independently fraud-actionable
T2Proof of Funds (bank/brokerage statement) wire-fraud target email custodySubmit Offer23HighIrreversibleShortBuyer/Agent emailYes (GLBA)
Account numbers + balances; classic wire-fraud setup target
T2Earnest Money Deposit (wire/check) wire-fraud targetSubmit Offer23HighIrreversibleShortEscrow/Title/AttorneyYes (GLBA)
Wire instructions are the #1 target for real estate wire fraud (BEC schemes)
T1Buyer's Agency AgreementSubmit Offer11LowReversibleLongAgent/BuyerNo
Standard representation contract, no financial data
T2Personal Letter to SellerSubmit Offer12MediumReversibleShortAgent/SellerNo
Voluntarily disclosed but can reveal more than intended; fair housing concerns
T1Escalation AddendumSubmit Offer11LowReversibleShortAgent/BuyerNo
Pricing mechanics only
Phase 2: Closing Process
T1Purchase & Sale Agreement (signed)Executed Contract (Day 0-5)11LowReversibleLongAttorney/TitleNo
Public record post-closing via deed reference
T3Form 1003 (URLA)Mortgage Application (Day 1-3)33HighIrreversibleLongLenderYes (GLBA, SHIELD Act)
SSN, full income/asset/employer history, citizenship status - among the most sensitive docs in the process
T2Escrow Receipt wire-fraud targetEarnest Money Deposited (Day 1-3)22MediumReversibleShortEscrow/TitleYes (GLBA)
Confirms amount in escrow; tied to wire-instruction risk upstream
T1Inspection ReportHome Inspection (Day 5-14)11LowReversibleLongAgent/BuyerNo
Property condition data only
T1Repair AddendumHome Inspection (Day 5-14)11LowReversibleShortAgent/Buyer/SellerNo
Negotiation terms tied to property, not person
T2Title Commitment / Prelim ReportTitle Search (Day 10-21)22MediumReversibleLongTitle CompanyNo
Compiled from public county records but distributed via paywalled title DB
T2Appraisal ReportAppraisal (Day 14-21)22MediumReversibleShortLender/AppraiserNo
Comp data is database-driven; tied to loan file but not independently fraud-actionable
T3VOE / VOA / Bank Statements / Tax ReturnsUnderwriting (Day 21-30)33HighIrreversibleLongLender UnderwritingYes (GLBA, SHIELD Act)
Deepest exposure point: SSNs, account numbers, employer HR contacts, years of tax returns
T2Loan Commitment Letter / Clear to CloseUnderwriting (Day 21-30)22MediumReversibleShortLenderNo
States approved terms; less granular than underlying source docs
T2Homeowner's Insurance BinderInsurance (Day 20-30)21MediumReversibleLongBuyer/InsurerNo
Property + coverage detail; policy number present but not independently actionable
T2Closing Disclosure (CD) wire-fraud targetClosing Disclosure (Closing -3 days)23HighIrreversibleShortLender/Title/AttorneyYes (GLBA, SHIELD Act)
Single document aggregating loan terms, account numbers, partial SSN, wire destination - most spoofed doc in closing fraud
T1Walkthrough ChecklistFinal Walkthrough11LowReversibleShortAgent/BuyerNo
No personal data, property condition only
T1DeedClosing Day11LowReversibleLongTitle/County RecorderNo
Becomes public record upon recording
T1Mortgage / Deed of TrustClosing Day11LowReversibleLongTitle/County RecorderNo
Becomes public record upon recording
T3Promissory NoteClosing Day33HighIrreversiblePermanentLender (private)Yes (GLBA)
Stays private; full borrower obligation terms + signature, never recorded
T2Settlement Statement (final CD/ALTA) wire-fraud targetClosing Day23HighIrreversibleShortTitle/EscrowYes (GLBA, SHIELD Act)
Full fund-flow detail including wire destinations for all parties

The product reading. The dangerous documents cluster in two places - the financing/underwriting stretch (Form 1003, VOE/VOA, tax returns) and the closing window (Closing Disclosure, Settlement Statement, wire instructions). The matrix's own verdict: the breach point is rarely the lender or title system - it is the agent's inbox. That is the gap Mantle's deal room closes.

The rubric

How each score is defined.

Access difficulty

TierDefinitionTest questionExample
1Freely public or no restriction to accessCould someone get this from a free public source?Occupation, recorded deed, inspection report
2Restricted / paywalled / requires credentialDoes access require a subscription, membership, or professional license?MLS data, title commitment, appraisal report
3Privately held, not accessible without authorizationIs this never available outside the transacting parties?SSN, bank account numbers, tax returns

Exploitability

TierDefinitionTest questionExample
1No meaningful harm if exposedDoes exposure cause no direct financial or identity harm?Property condition, negotiation terms
2Moderate harm - reputational or competitive, not directly fraud-enablingWould exposure mainly cause inconvenience or competitive disadvantage?Pre-approval amount, appraisal value
3Directly enables identity theft, account takeover, or financial fraudCould this alone, or with one other leaked document, enable impersonation or fund redirection?SSN, wire instructions, full tax returns

Overlay risk factors

FactorDescriptionValuesWhy it matters
Aggregation RiskWhether the document becomes materially more dangerous when combined with other tier-1/2 items (e.g., name + address + closing date)Low / Medium / HighA document can be low-sensitivity alone but high-risk in combination - captures wire-fraud spoofing setups
Reversibility of HarmWhether the damage from exposure can be undoneReversible / IrreversibleSSN exposure and wired funds are largely irreversible; inspection report leaks are fully containable
Time-Decay WindowHow long the document remains sensitive after issuanceShort / Long / PermanentWire instructions are catastrophic the day before closing, irrelevant a week after; the Note never expires
Custody RiskWhich party/system holds the document, and how hardened that system isNamed custodianAgent email inboxes are the most common breach point, not lender/title systems
Regulatory Exposure (NY/CT)Whether compromise triggers breach notification or compliance obligationsYes / No, statute citedGLBA (financial institutions) and NY SHIELD Act / CT breach statute impose disclosure duties independent of fraud risk