Security & Compliance

Enterprise-Grade Security

Built from the ground up with security, compliance, and auditability as core requirements—not afterthoughts.

SOC 2 Type II

Certified

ISO 27001

In Progress

GDPR

Compliant

CCPA

Compliant

Security Architecture

Multiple layers of protection for your data and operations

Data Encryption

All data encrypted at rest and in transit using AES-256 and TLS 1.3

  • AES-256 encryption at rest
  • TLS 1.3 for data in transit
  • End-to-end encryption for sensitive documents
  • Hardware security modules (HSM) for key management

Auditability

Complete audit trails with immutable logging and blockchain anchoring

  • Immutable audit logs
  • Blockchain-anchored records
  • User activity tracking
  • Change history for all documents

Access Controls

Role-based access control with multi-factor authentication

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA)
  • Single sign-on (SSO) support
  • IP allowlisting

Infrastructure

Enterprise-grade infrastructure with 99.99% uptime SLA

  • SOC 2 Type II certified data centers
  • Geographic redundancy
  • Automated backups
  • Disaster recovery

Governance Overview

Clear roles, permissions, and approval workflows

RolePermissionsApproval Required
Platform Admin
Full system access, user management, configurationBoard approval for changes
Project Manager
Project data, team management, reportingAdmin approval for new projects
Contractor
Assigned project data, document upload, time trackingPM approval for submissions
Auditor
Read-only access to audit logs and compliance reportsLegal approval for access

FAQ for Legal & IT Teams

Straight answers to common security and compliance questions

Where is my data stored?

All data is stored in SOC 2 Type II certified data centers in the United States, with geographic redundancy across multiple availability zones. We use AWS GovCloud for government clients.

How do you handle data retention?

Data is retained according to your organization's policy, with a minimum of 7 years for compliance purposes. You can request data deletion at any time, subject to legal hold requirements.

What happens if there's a security incident?

We have a documented incident response plan with 24/7 monitoring. Affected parties are notified within 72 hours per GDPR requirements, and we provide detailed post-incident reports.

Can we get a BAA for HIPAA compliance?

Yes, we offer Business Associate Agreements for healthcare-related construction projects. Contact our compliance team for details.

Do you support on-premise deployment?

Yes, we offer on-premise and private cloud deployment options for organizations with specific data residency requirements.

Need More Details?

Our security team is available to answer questions and provide documentation for your compliance review.