Reference appendix · backs the data-security layer of the model
The Document Sensitivity Matrix.
Every document in a residential transaction, scored on how exposed it is and how much damage its leak would do. This is the map of where Mantle must be careful - and where the agent's email inbox is already the weakest link in the chain.
Risk concentration
The danger clusters in one corner.
All 23 documents placed by how hard they are to obtain (access) and how much harm a leak does (exploitability). The number in each cell is how many documents sit there. Everything dangerous lives in the top-right, and it is a small, nameable set.
The matrix
Scored by access × exploitability, with five overlay risk factors.
Composite tier drives the row color. Access = how hard the document is to obtain (1 public → 3 private). Exploit = how much harm its exposure causes (1 none → 3 fraud-enabling). The overlay columns capture what a single tier number misses - whether harm is reversible, how long the document stays dangerous, who holds it, and whether a leak triggers a statutory breach notice.
Click a column header to sort. Click a heatmap cell above to filter by tier.
| Document ▲ | Acc ▲ | Exp ▲ | Aggregation ▲ | Reversibility ▲ | Time-decay ▲ | Custody ▲ | NY/CT reg ▲ | |
|---|---|---|---|---|---|---|---|---|
| Phase 1: Bid | ||||||||
| T1Purchase Offer / Agreement (draft) email custodySubmit Offer | 1 | 1 | Low | Reversible | Long | Agent/Buyer email | No | |
| Becomes public record once recorded; terms not identity-sensitive | ||||||||
| T2Pre-Approval LetterSubmit Offer | 2 | 2 | Medium | Reversible | Short | Buyer/Lender | No | |
| Lender name + approved amount; not in public DB but not independently fraud-actionable | ||||||||
| T2Proof of Funds (bank/brokerage statement) wire-fraud target email custodySubmit Offer | 2 | 3 | High | Irreversible | Short | Buyer/Agent email | Yes (GLBA) | |
| Account numbers + balances; classic wire-fraud setup target | ||||||||
| T2Earnest Money Deposit (wire/check) wire-fraud targetSubmit Offer | 2 | 3 | High | Irreversible | Short | Escrow/Title/Attorney | Yes (GLBA) | |
| Wire instructions are the #1 target for real estate wire fraud (BEC schemes) | ||||||||
| T1Buyer's Agency AgreementSubmit Offer | 1 | 1 | Low | Reversible | Long | Agent/Buyer | No | |
| Standard representation contract, no financial data | ||||||||
| T2Personal Letter to SellerSubmit Offer | 1 | 2 | Medium | Reversible | Short | Agent/Seller | No | |
| Voluntarily disclosed but can reveal more than intended; fair housing concerns | ||||||||
| T1Escalation AddendumSubmit Offer | 1 | 1 | Low | Reversible | Short | Agent/Buyer | No | |
| Pricing mechanics only | ||||||||
| Phase 2: Closing Process | ||||||||
| T1Purchase & Sale Agreement (signed)Executed Contract (Day 0-5) | 1 | 1 | Low | Reversible | Long | Attorney/Title | No | |
| Public record post-closing via deed reference | ||||||||
| T3Form 1003 (URLA)Mortgage Application (Day 1-3) | 3 | 3 | High | Irreversible | Long | Lender | Yes (GLBA, SHIELD Act) | |
| SSN, full income/asset/employer history, citizenship status - among the most sensitive docs in the process | ||||||||
| T2Escrow Receipt wire-fraud targetEarnest Money Deposited (Day 1-3) | 2 | 2 | Medium | Reversible | Short | Escrow/Title | Yes (GLBA) | |
| Confirms amount in escrow; tied to wire-instruction risk upstream | ||||||||
| T1Inspection ReportHome Inspection (Day 5-14) | 1 | 1 | Low | Reversible | Long | Agent/Buyer | No | |
| Property condition data only | ||||||||
| T1Repair AddendumHome Inspection (Day 5-14) | 1 | 1 | Low | Reversible | Short | Agent/Buyer/Seller | No | |
| Negotiation terms tied to property, not person | ||||||||
| T2Title Commitment / Prelim ReportTitle Search (Day 10-21) | 2 | 2 | Medium | Reversible | Long | Title Company | No | |
| Compiled from public county records but distributed via paywalled title DB | ||||||||
| T2Appraisal ReportAppraisal (Day 14-21) | 2 | 2 | Medium | Reversible | Short | Lender/Appraiser | No | |
| Comp data is database-driven; tied to loan file but not independently fraud-actionable | ||||||||
| T3VOE / VOA / Bank Statements / Tax ReturnsUnderwriting (Day 21-30) | 3 | 3 | High | Irreversible | Long | Lender Underwriting | Yes (GLBA, SHIELD Act) | |
| Deepest exposure point: SSNs, account numbers, employer HR contacts, years of tax returns | ||||||||
| T2Loan Commitment Letter / Clear to CloseUnderwriting (Day 21-30) | 2 | 2 | Medium | Reversible | Short | Lender | No | |
| States approved terms; less granular than underlying source docs | ||||||||
| T2Homeowner's Insurance BinderInsurance (Day 20-30) | 2 | 1 | Medium | Reversible | Long | Buyer/Insurer | No | |
| Property + coverage detail; policy number present but not independently actionable | ||||||||
| T2Closing Disclosure (CD) wire-fraud targetClosing Disclosure (Closing -3 days) | 2 | 3 | High | Irreversible | Short | Lender/Title/Attorney | Yes (GLBA, SHIELD Act) | |
| Single document aggregating loan terms, account numbers, partial SSN, wire destination - most spoofed doc in closing fraud | ||||||||
| T1Walkthrough ChecklistFinal Walkthrough | 1 | 1 | Low | Reversible | Short | Agent/Buyer | No | |
| No personal data, property condition only | ||||||||
| T1DeedClosing Day | 1 | 1 | Low | Reversible | Long | Title/County Recorder | No | |
| Becomes public record upon recording | ||||||||
| T1Mortgage / Deed of TrustClosing Day | 1 | 1 | Low | Reversible | Long | Title/County Recorder | No | |
| Becomes public record upon recording | ||||||||
| T3Promissory NoteClosing Day | 3 | 3 | High | Irreversible | Permanent | Lender (private) | Yes (GLBA) | |
| Stays private; full borrower obligation terms + signature, never recorded | ||||||||
| T2Settlement Statement (final CD/ALTA) wire-fraud targetClosing Day | 2 | 3 | High | Irreversible | Short | Title/Escrow | Yes (GLBA, SHIELD Act) | |
| Full fund-flow detail including wire destinations for all parties | ||||||||
The product reading. The dangerous documents cluster in two places - the financing/underwriting stretch (Form 1003, VOE/VOA, tax returns) and the closing window (Closing Disclosure, Settlement Statement, wire instructions). The matrix's own verdict: the breach point is rarely the lender or title system - it is the agent's inbox. That is the gap Mantle's deal room closes.
The rubric
How each score is defined.
Access difficulty
| Tier | Definition | Test question | Example |
|---|---|---|---|
| 1 | Freely public or no restriction to access | Could someone get this from a free public source? | Occupation, recorded deed, inspection report |
| 2 | Restricted / paywalled / requires credential | Does access require a subscription, membership, or professional license? | MLS data, title commitment, appraisal report |
| 3 | Privately held, not accessible without authorization | Is this never available outside the transacting parties? | SSN, bank account numbers, tax returns |
Exploitability
| Tier | Definition | Test question | Example |
|---|---|---|---|
| 1 | No meaningful harm if exposed | Does exposure cause no direct financial or identity harm? | Property condition, negotiation terms |
| 2 | Moderate harm - reputational or competitive, not directly fraud-enabling | Would exposure mainly cause inconvenience or competitive disadvantage? | Pre-approval amount, appraisal value |
| 3 | Directly enables identity theft, account takeover, or financial fraud | Could this alone, or with one other leaked document, enable impersonation or fund redirection? | SSN, wire instructions, full tax returns |
Overlay risk factors
| Factor | Description | Values | Why it matters |
|---|---|---|---|
| Aggregation Risk | Whether the document becomes materially more dangerous when combined with other tier-1/2 items (e.g., name + address + closing date) | Low / Medium / High | A document can be low-sensitivity alone but high-risk in combination - captures wire-fraud spoofing setups |
| Reversibility of Harm | Whether the damage from exposure can be undone | Reversible / Irreversible | SSN exposure and wired funds are largely irreversible; inspection report leaks are fully containable |
| Time-Decay Window | How long the document remains sensitive after issuance | Short / Long / Permanent | Wire instructions are catastrophic the day before closing, irrelevant a week after; the Note never expires |
| Custody Risk | Which party/system holds the document, and how hardened that system is | Named custodian | Agent email inboxes are the most common breach point, not lender/title systems |
| Regulatory Exposure (NY/CT) | Whether compromise triggers breach notification or compliance obligations | Yes / No, statute cited | GLBA (financial institutions) and NY SHIELD Act / CT breach statute impose disclosure duties independent of fraud risk |