Leon Real Estate
Intelligence Platform
48 AI agents & specs (30 AI · 16 hybrid · 1 automation · 1 platform), grouped into six business functions. 4 tenant entities. One unified platform — from deal sourcing to investor reporting, built natively for Leon Capital's real estate verticals.
Platform Architecture
Full technology stack — 8 layers from user interface to compliance archive. Multi-tenant, Azure-hosted, AI-native design with OPA policy enforcement and per-tenant data isolation.
Access &
Identity
API Gateway
& Proxy
Orchestration
& Agents
AI & LLM
Tier
Data Platform
& Integrations
Database
Layer
Security
& Keys
Observability
& Audit
Use case: Knowledge work, analysis, memo drafting, document review
Deployment: Anthropic-hosted Claude Enterprise subscription
Data sensitivity: Non-sensitive, general analytical work
Use case: Agentic pipelines, multi-step workflows, tool-using agents
Deployment: Claude API / Google Gemini / open-weight models on Azure + LangGraph on Container Apps
Data sensitivity: Structured deal data, underwriting models
Use case: Sensitive deal data, NDA-covered information, PII-adjacent records
Deployment: Azure VNet isolated open-weight LLM (Gemma / Llama), mTLS enforced, no external egress
Data sensitivity: Maximum — capital structure, investor PII, fund terms
Platform Costs
Current open-source stack vs Azure-native alternatives — all infrastructure hosted on Azure. Includes model-agnostic AI token estimates (Claude API, Google Gemini, or open-weight models on Azure), Tier-3 GPU compute, and external data subscriptions (Green Street + Crexi; all government/census sources are free).
| Component | Current Choice | Current Cost/mo | Azure-Native Alternative | Azure-Native Cost/mo | Δ Cost | Notes |
|---|---|---|---|---|---|---|
| API Gateway / Proxy | Traefik v3 on Container Apps | ~$30–60 (Container Apps compute only) |
Azure API Management (APIM) | $280–700 (Developer → Standard tier) |
+$250–640 | APIM offers richer analytics and developer portal. Traefik sufficient for current scope. |
| Container Orchestration | Azure Container Apps | $80–200 (scale-to-zero, per vCPU/mem) |
Azure Kubernetes Service (AKS) | $150–400 (management fee + node VMs) |
+$70–200 | AKS gives more control; Container Apps is right-sized for current agent workloads. |
| Database | Azure PostgreSQL Flexible Server | $120–250 (General Purpose, 4–8 vCores) |
Azure PostgreSQL Flexible Server | $120–250 | $0 | Same service. No change. |
| Data Transformation | dbt Core (open source) | $0 (runs on existing Container Apps) |
Microsoft Fabric (Dataflows Gen2) | $524–1,048 (F4–F8 capacity SKU) |
+$524–1,048 | Fabric includes managed pipelines, OneLake, semantic models. Significant cost for managed convenience. |
| Metric Governance | MetricFlow (open source, in dbt) | $0 | Power BI Semantic Models (Fabric) | $10–20/user/mo (Pro/PPU × ~20 users = $200–400) |
+$200–400 | Included in Fabric capacity above. Listed separately for clarity. |
| In-Agent Analytics | DuckDB (open source, in-process) | $0 | Azure Synapse Serverless SQL | $5–40 ($5/TB scanned, est. 1–8 TB/mo) |
+$5–40 | Synapse requires network hop per query. DuckDB is faster and free for in-agent use. |
| Audit Archive (WORM) | ADLS Gen2 Delta + WORM policy | $20–80 (storage at $0.018/GB/mo) |
ADLS Gen2 / Fabric OneLake | $20–80 | $0 | Same underlying service. Fabric OneLake is a superset with unified namespace. |
| Policy Engine (RBAC) | OPA (open source, sidecar) | $0 | Azure API Management Policies | Bundled in APIM above | — | OPA gives finer-grained Rego policy control than APIM policy expressions. |
| Agent Orchestration | LangGraph (open source) | $0 | Azure AI Foundry Agent Service | $0.05–0.15/agent run (est. 5K runs/mo = $250–750) |
+$250–750 | Azure AI Foundry is managed but expensive at volume. LangGraph on Container Apps is free. |
| Observability | Azure Monitor + OpenTelemetry | $30–80 (log ingestion ~5–20 GB/mo) |
Azure Monitor (same) | $30–80 | $0 | Same service. No change. |
| Identity | Entra ID + Clerk | $50–120 (Clerk Pro ~$25/mo + Entra P2 ~$6/user) |
Entra ID only (no Clerk) | $60–150 (Entra P2 + External Identities) |
~$0 | Comparable cost. Clerk adds session flexibility; Entra-only is simpler if no external users. |
| Security (Defender + Sentinel) | Defender for Cloud + Sentinel | $100–200 (Defender Standard + Sentinel ingest) |
Defender for Cloud + Sentinel (same) | $100–200 | $0 | Same service. No change. |
| Network (VNet, Private Link) | Azure VNet + Private Link | $30–70 (Private Link endpoints + egress) |
Azure VNet + Private Link (same) | $30–70 | $0 | Same service. No change. |
| Model | Input / 1M tokens | Output / 1M tokens | Best Used For | Wave 1 est. | Wave 2 est. | Full Platform est. |
|---|---|---|---|---|---|---|
| Claude Haiku 4.5 | $1.00 | $5.00 | Routine parsing, tenant comms, insurance tracking | ~$10/mo | ~$30/mo | ~$60/mo |
| Claude Sonnet 4.6 | $3.00 | $15.00 | Deal scoring, NOI analysis, lease abstraction, most agentic workflows | ~$25/mo | ~$150/mo | ~$400/mo |
| Claude Opus 4.8 | $5.00 | $25.00 | UW model builder, IC packages, deal narratives, complex reasoning | ~$10/mo | ~$100/mo | ~$250/mo |
| Subtotal (Claude API) | ~$45/mo | ~$280/mo | ~$710/mo | |||
|
💡 Prompt caching (90% input reduction) + batch processing (50% off) on high-frequency modules can reduce this to ~$350–400/mo at full platform. 🧠 Model-agnostic: agents route to the most cost-effective model per task. Non-Claude options are used where they outperform — Google Gemini (2.x) and open-weight models (Llama, Qwen, DeepSeek, Mistral, Gemma) self-hosted on Azure for cost-sensitive or air-gapped (Tier-3) workloads. |
||||||
| Deployment Mode | VM SKU | Hourly Rate | Est. Hours/mo | Monthly Cost | Use Case Fit |
|---|---|---|---|---|---|
| On-demand (job-only) ✓ Recommended | NC24ads A100 v4 | $3.67/hr | ~50 hrs (LP reporting, batch jobs) | ~$185/mo | Spin up for quarterly LP reports, sensitive batch runs. Shut down after. |
| Spot instance | NC24ads A100 v4 | $0.75/hr | ~50 hrs | ~$38/mo | Cheapest option. Risk of eviction — acceptable for non-real-time batch jobs. |
| Business hours reserved | NC24ads A100 v4 | ~$2.20/hr (1yr) | ~220 hrs (10hr/day, 22 days) | ~$484/mo | For Wave 3+ when Tier 3 usage grows beyond quarterly LP runs. |
| Always-on reserved | NC24ads A100 v4 | ~$2.20/hr (1yr) | 730 hrs | ~$1,606/mo | Only warranted if Tier 3 becomes primary inference path for many modules. |
| Source | Type | Annual | Monthly equiv. | Notes |
|---|---|---|---|---|
| SS&C Technologies | Core platform — fund / investment / loan mgmt (system of record) | Enterprise SaaS — TBD | TBD (quote) | GlobeOp fund admin · Geneva investment accounting · Precision LM loan servicing — feeds Fund & Loan Tracking, Accounting, Servicing, LP Reporting, Portfolio Risk |
| Green Street | Commercial market data + AVM | $20,000/yr | ~$1,667/mo | AVM Pro, forecasts & scenarios, Market Grade, CPPI, Cap Rate Observer, verified comps, debt/fund DBs |
| Crexi | Commercial listings / comps | ~$2,400–7,200/yr (est.) | ~$200–600/mo | Supplementary on-market listings & transaction comps for sourcing |
| Gov / Census / Free Census, FRED, BLS, HUD, BEA, FEMA, EPA, EIA, SEC EDGAR, Assessor… | Public data | $0 | $0 | All government, census & public APIs — macro, demographic, lending, risk, filings |
| Subtotal — data subscriptions | ~$22.4K–27.2K/yr · ~$1,870–2,270/mo | + SS&C core platform (enterprise SaaS, pricing TBD). Common to both stacks below. | ||
Tenant Architecture
Hard isolation boundaries — each tenant has its own PostgreSQL schema, Azure Key Vault, RBAC scope, and module access profile. No cross-tenant data leakage by design.
Module Registry
All 33 AI agents organized by domain, each tagged with its Playbook agent number (the authoritative spec in the LCG RE AI Initiative Registry). Click any box to open its full specification — role, system prompt, tooling/access, and skills. Each module defines its AI tier, wave deployment target, tenant access, and data dependencies. Modules are independently deployable on the shared platform infrastructure.
Data Integration Catalog
All source systems feeding the Leon RE Intelligence Platform. Each connector defines ingestion method, target tenants, refresh cadence, and responsible team. Data flows into ADLS Gen2 → dbt transformation pipelines → governed MetricFlow metrics.
Data Flow Architecture
U.S. Census · FRED · BLS · HUD · BEA · FEMA · County Assessor
Excel · SharePoint · M365
+ Graph API
Raw + Bronze
Transformation
Cap Rate · IRR
LangGraph + multi-model
Source Connectors
Each integration feeds one or more tenants via Azure Data Factory or direct API ingestion into the Delta Lake raw zone.
Free · Government · Census Data Sources (no-cost public APIs)
Public macro, demographic, lending, and risk data — ingested via API into the Delta Lake raw zone alongside the commercial sources. All free.
| Source | Category | Key Data | Cost | Refresh |
|---|---|---|---|---|
| U.S. Census Bureau | Demographics | ACS, Building Permits Survey, County/ZIP Business Patterns, population estimates | Free | Annual / quarterly |
| FRED (St. Louis Fed) | Macro / Rates | 10-yr Treasury, Fed Funds, CPI, mortgage rates, macro series | Free | Daily |
| BLS | Labor / Prices | PPI (construction costs), CPI, QCEW employment by county | Free | Monthly |
| HUD | Housing | Fair Market Rents, income limits, LIHTC database, USPS vacancy | Free | Annual / quarterly |
| BEA | Economy | GDP by metro, regional personal income | Free | Quarterly |
| FEMA | Risk | Flood maps (NFHL), disaster declarations | Free | On update |
| EPA | Environmental | ECHO enforcement, brownfields, air/water quality | Free | On update |
| EIA | Energy | Electricity / gas prices, utility rates | Free | Monthly |
| USGS / NOAA | Climate / Geo | Seismic, climate & weather-risk data | Free | On update |
| SEC EDGAR | Filings | REIT 10-K/10-Q, fund filings (comps/benchmarks) | Free | On filing |
| Treasury / FFIEC | Lending | HMDA mortgage data, census-tract income | Free | Annual |
| IRS SOI | Migration | County-to-county migration & income flows | Free | Annual |
| County Assessor | Public records | Parcel/APN ownership, assessed value, lot data | Free | On lookup |
Commercial & System Connectors
SS&C Technologies
Core Platform · System of Record ⚙ Wave 1Green Street
Market Data & Valuation · PRIMARY ⚙ Wave 1Yardi Voyager
Property Management ⚙ Wave 1Argus Enterprise
Valuation & Underwriting ⚙ Wave 1Built (getbuilt.com)
Construction Finance ⚙ Wave 2Excel & Spreadsheets
Legacy Migration ● Wave 1 TargetMicrosoft SharePoint
Document Store ● ActiveCrexi
CRE Marketplace ★ LCG Owned Asset ● ActiveMicrosoft Outlook / Email
Communications ⚙ Wave 3Internal Databases & Systems
Internal Systems ● ActiveExternal Market Data
Market Intelligence ⚙ Wave 2Integration Status Summary
Deployment Sequences
Phased rollout starting with foundational infrastructure, progressing through use case validation, core module deployment, and advanced AI capability expansion across all four tenants.
| Wave | Period | Status | Focus | Modules | Key Dependency |
|---|---|---|---|---|---|
| Pre-Wave | Mar–May 2026 | ● Completed | Concept, Design, Architecture & Planning | No modules — base platform architecture only | Stakeholder alignment, stack selection |
| Wave 1 | May 2026 | ● Active | Infrastructure + Core UW & Acquisitions | RE-00–03, 08–10, 16–17 | Azure infra, RLS, Key Vaults |
| Wave 2 | Jul 2026 | ● In Planning | Core Acquisitions, UW & Expanded Asset Management | RE-00–05, 07–08, 10–13, 15, 18–21, 24, 28 | Wave 1 data platform, validated use cases |
| Wave 3 | Oct 2026 | ● Planned | Portfolio Reporting + Compliance | RE-06, 14, 22–23, 25–26, 29 | Tier 3 LLM, LP data |
| Wave 4 | Jan 2027 | ● Planned | Board + Regulatory + Disposition | RE-27, 30–31 | Full portfolio data pipeline |
| Wave 5 | Apr 2027 | ● Future | Optimization + External Integrations | External APIs, fine-tuning | All 48 modules stable |
Security Architecture
12-layer security spanning identity, edge (Cloudflare CDN/WAF/Workers), network, application, data, and DevSecOps pipeline. Continuous vulnerability management via Tenable, AI-powered code security via Claude, and supply chain protection via GitHub Advanced Security.
- Azure Entra ID: Enterprise SSO with Conditional Access Policies. Group membership synced to Clerk organizations at login.
- Clerk: Session token management, MFA enforcement, org-scoped JWTs with tenant_id and roles[] claims embedded.
- JWT Structure: Every request carries
tenant_id+roles[]claims, validated at both Traefik and OPA layers. - Session TTL: Standard sessions: 8-hour token expiry. Privileged sessions: 4-hour JIT TTL via Azure PIM.
- MFA: Required for all users. Passwordless preferred for internal staff.
- Purpose: Grants temporary elevated access to cross-tenant data or privileged operations without permanent role assignment.
- TTL: 4-hour maximum, scoped to specific deal_id or loan_id.
- Approval: Manager approval required for cross-tenant elevation. Automatic approval for intra-tenant escalation within defined bounds.
- Audit: All PIM activations logged to Azure Monitor with requestor, approver, scope, and duration.
- Roles eligible for JIT: RE-CEO full cross-tenant read, RE-DATA elevated analytics, RE-COMP regulatory access.
- Cloudflare CDN: Global edge caching for all static assets and frontend bundles. Reduces latency for distributed LCG teams. Cache rules scoped per tenant subdomain — no cross-tenant cache pollution.
- WAF (Web Application Firewall): Managed rulesets (OWASP Top 10, Cloudflare Managed Rules) applied at edge. Custom rules block SQL injection, XSS, path traversal, and malformed JSON payloads targeting RE platform API endpoints.
- DDoS Protection: Always-on L3/L4/L7 DDoS mitigation. Adaptive rate limiting per IP, ASN, and tenant. Automatic challenge for suspicious traffic patterns.
- Cloudflare Workers: Edge compute layer for request pre-processing — JWT claim validation, tenant routing, request transformation, and rate-limit enforcement before traffic reaches Azure Container Apps. Eliminates unnecessary origin hits.
- Cloudflare One (ZTNA): Zero Trust Network Access with device posture checks and identity-aware proxy. All remote access routed through Cloudflare Access — no direct VPN to Azure VNet.
- DLP (Data Loss Prevention): Inspects outbound HTTP/HTTPS traffic for PII patterns, sensitive financial data (SSN, EIN, account numbers), and deal-level identifiers (deal IDs, loan amounts).
- JSON Body Inspection: Deep packet inspection on API payloads. Policy violations blocked before reaching application layer.
- DNS Filtering: Cloudflare Gateway blocks unauthorized egress destinations. Prevents data exfiltration to unknown endpoints.
- Bot Management: ML-based bot scoring on all API traffic. Automated credential-stuffing and scraping attempts blocked at edge.
- Threat Intelligence: Real-time feeds for malicious IPs, domains, and threat actors integrated into WAF and DNS policies.
- Policy Bundle: Rego policies deployed as OPA sidecar in each Container App. Evaluates every API request for authorization.
- Decision Logic: Checks tenant_id match, role-permission mapping, resource scope (deal_id/loan_id), and PIM elevation validity.
- Default-Deny: All requests denied unless explicitly permitted by policy. No implicit trust.
- Policy Updates: Bundle versioned in Azure Blob Storage. Hot-reload without pod restart.
- Audit: Every OPA decision (allow/deny) written to immutable audit log in ADLS Gen2.
- PostgreSQL RLS: Row-Level Security enforced on every table using tenant_id column. Cross-tenant reads blocked at DB layer even if application layer is compromised.
- Schema Separation: Each tenant has a dedicated schema namespace (lcg_corp, lcg_mf, lcg_ind, lcg_con).
- Connection Scoping: PgBouncer connection pool assigns DB connections per tenant role. No shared connection pool across tenants.
- Azure Private Link: PostgreSQL endpoint not reachable from public internet. VNet-internal only.
- pgvector: Embedding vectors for semantic search also tenant-scoped via RLS.
- One Key Vault per tenant: kv-lcg-coe, kv-lcg-mf, kv-lcg-ind, kv-lcg-hc. Strict RBAC — tenant A cannot access tenant B's vault.
- AES-256 CMK: Customer-managed keys for all data at rest. Key rotation on 90-day schedule.
- HSM-backed: Premium Key Vault tier with FIPS 140-2 Level 3 HSM for sensitive key material.
- Secret Management: API keys, connection strings, and service credentials stored in Key Vault. No secrets in code or config files.
- Access Audit: All key operations logged and monitored for anomalous access patterns.
- At Rest: AES-256 encryption for all storage (PostgreSQL, ADLS Gen2, Blob Storage). CMK via Key Vault per tenant.
- In Transit: TLS 1.3 enforced for all external traffic. TLS 1.2 minimum for internal service-to-service.
- mTLS: Mutual TLS enforced between all microservices within the VNet. Certificate rotation automated via Azure Managed Certificates.
- Tier 3 AI Isolation: Air-gapped LLM environment uses mTLS with no internet egress. All inference requests stay within Azure VNet.
- Key Rotation: Automated 90-day rotation for CMKs, 30-day rotation for service-to-service certificates.
- WORM Archive: ADLS Gen2 with immutable storage policy (Write Once, Read Many). SEC 17a-4 compliant. No deletion or modification possible once written.
- What's Logged: All API requests (with OPA decision), user actions, LLM calls (prompt + response), data access, PIM activations, key vault access.
- LangSmith: LLM-specific tracing for prompt versioning, token usage, latency, and model call attribution.
- Retention: 7-year default retention for compliance logs. 90-day hot tier for operational logs.
- Log Integrity: Cryptographic hash chain on log entries prevents tampering.
- Microsoft Defender for Cloud: Continuous security posture assessment, vulnerability scanning, and threat detection across all Azure resources.
- Microsoft Sentinel: SIEM + SOAR. Ingests logs from all platform components. Custom detection rules for RE platform threat scenarios.
- Azure Policy: Governance guardrails — enforces approved regions, SKUs, encryption settings, and network rules. Non-compliant resources flagged automatically.
- Azure DDoS Protection: Standard tier enabled on VNet. Adaptive tuning per application profile.
- Security Baselines: All resources deployed against Microsoft Security Benchmark v3.
- Managed Service: Azure PostgreSQL Flexible Server — OS patching, minor version updates, and HA failover managed by Azure.
- Network: Private endpoint only (no public FQDN). All connections via Azure Private Link from within the VNet.
- Backups: Geo-redundant automated backups with point-in-time restore up to 35 days. Backup encryption with CMK.
- High Availability: Zone-redundant HA with automatic failover <120s RPO/RTO.
- Maintenance: Scheduled maintenance windows during off-peak hours. No-downtime minor upgrades.
- Tenable.io / Nessus: Continuous vulnerability scanning across all Azure infrastructure — Container Apps, PostgreSQL, Key Vaults, storage accounts, and network configurations. Scans triggered on every infrastructure deployment.
- Container Image Scanning: All Docker images scanned for CVEs before deployment to Azure Container Registry. Images with Critical/High CVEs blocked from production promotion by CI/CD gate.
- Cloud Security Posture: Tenable Cloud Security (formerly Accurics) scans IaC templates (Bicep/Terraform) for misconfigurations before deployment. Detects overly permissive IAM, exposed storage accounts, missing encryption settings.
- Agent-Based Scanning: Tenable Nessus agents deployed on all Container App environment nodes for authenticated OS-level vulnerability detection.
- Risk Prioritization: CVSS + Tenable VPR (Vulnerability Priority Rating) used to triage findings. Critical findings trigger Sentinel alert and PagerDuty incident automatically.
- Compliance Benchmarks: Continuous CIS Benchmark assessment for Azure, Docker, and Kubernetes configurations. Results feed into Defender for Cloud compliance dashboard.
- Remediation Tracking: Findings tracked in Monday.com via API integration. SLA: Critical ≤24h, High ≤7d, Medium ≤30d.
- Automated Code Security Review: Claude API (Sonnet tier) integrated into GitHub PR pipeline. Every pull request triggering changes to security-sensitive paths (auth, OPA policies, API handlers, DB migrations) receives an automated security review identifying OWASP vulnerabilities, secrets exposure, SQL injection risks, and insecure patterns.
- OPA Policy Review: Claude reviews all Rego policy changes for logic errors, unintended permission grants, and tenant isolation bypass risks before merge. Policy PRs require both Claude review pass and human approval.
- Dependency Analysis: Claude analyzes package.json / requirements.txt changes for known-malicious packages, suspicious new dependencies, and license compliance issues.
- LangGraph Agent Security: All new LangGraph agent tool definitions reviewed by Claude for prompt injection vulnerabilities, tool misuse vectors, and capability scope creep.
- Security Documentation: Claude auto-generates security design notes for new modules (threat model, data flows, trust boundaries) as part of the module specification process.
- Incident Response: Claude assists the security team during incidents — log analysis, anomaly explanation, remediation step generation, and post-incident report drafting.
- Air-Gap Boundary: Security review workloads use Claude API (Tier 2) only — no sensitive source code or logs sent to Gemma 4 air-gapped tier. All Claude security calls logged in ADLS WORM audit trail.
- GitHub Advanced Security (GHAS): Code scanning (CodeQL) on every push — detects security vulnerabilities in Python, TypeScript, and SQL. Secret scanning blocks accidental credential commits across all repos. Dependency graph + Dependabot alerts for vulnerable packages with automatic PRs.
- CodeQL Analysis: Custom CodeQL queries tuned for RE platform patterns — detects tenant_id bypass attempts, OPA policy logic errors, and insecure LangGraph tool definitions.
- Secret Scanning + Push Protection: Pre-receive hook blocks pushes containing API keys, Azure connection strings, JWT secrets, or Clerk credentials. Scanning covers commit history, PRs, issues, and wikis.
- Branch Protection Rules: Main branch requires: 2 reviewer approvals, passing CI (all checks green), Claude security review pass, Tenable container scan pass, CodeQL zero-critical findings. Force push and deletion blocked.
- GitHub Actions — CI Pipeline: On every PR: lint → unit tests → CodeQL scan → Tenable image scan → Claude security review → build Docker image → push to ACR (staging tag). Failures block merge.
- GitHub Actions — CD Pipeline: On merge to main: build production image → Tenable final scan → sign image (Sigstore/cosign) → push to ACR (prod tag) → trigger Azure Container Apps rolling deployment via Azure CLI action → smoke tests → Sentinel alert on deployment event.
- OIDC Federated Identity: GitHub Actions uses OIDC to authenticate to Azure (no long-lived secrets). Workload identity federation — short-lived tokens scoped to specific repo + branch + environment.
- Environment Protection Rules: Production deployments require manual approval from Tech Lead + Security role. 15-minute deployment window enforced. Rollback action available for 30 minutes post-deploy.
- Supply Chain Security: All GitHub Actions pinned to commit SHA (not mutable tags). Actions audited quarterly. Dependency Review action blocks PRs introducing vulnerabilities with known exploits.
- Audit Log Streaming: GitHub enterprise audit log streamed to Microsoft Sentinel via webhook. All repo events, member changes, and security alerts correlated with platform security events.
| Role | Description | Acquisitions | Underwriting | Asset Mgmt | Portfolio | Transactions | Cross-Tenant |
|---|---|---|---|---|---|---|---|
| RE-CEO | Executive — full read portfolio visibility | ✓ Read | ✓ Read | ✓ Read | ✓ Full | ✓ Read | JIT Only |
| RE-PM | Portfolio / Asset Manager | ✓ Full | ✓ Full | ✓ Full | ✓ Full | ✓ Full | ✗ |
| RE-UW | Underwriter / Analyst | ✓ Read | ✓ Full | Read-only | Summaries | Read | ✗ |
| RE-TX | Transactions / Acquisitions | ✓ Full | ✓ Full | ✗ | ✗ | ✓ Full | ✗ |
| RE-SVC | Property Services / Operations | ✗ | ✗ | Ops only | ✗ | ✗ | ✗ |
| RE-DATA | Data / Analytics Engineer | Read | Read | Read | ✓ Full | ✗ | JIT Read |
| RE-COMP | Compliance / Legal | Read | Read | Read | Read | ✓ Full | ✗ |
| RE-EXT | External / Advisor (read-only, scoped) | ✗ | Specific deals | ✗ | ✗ | ✗ | ✗ |
Open Items & Blockers
Active issues and unresolved architectural decisions requiring resolution before Wave 1 completion and Wave 2 kickoff. Tracked by severity with owner and target resolution date.
Key Contacts
Executive leadership, platform technology team, finance owners, legal, and asset management contacts for the Leon RE Intelligence Platform.