Security

Built for enterprise trust.

Your bid data is sensitive. We treat it that way — from multi-tenant isolation to a SOC 2 Type II audit in progress.

Start Free TrialBook a Demo

Multi-tenant isolation

Row-Level Security on every table. Your bids, subs, and benchmarks cannot leak across tenants — enforced at the database layer, not the application.

Encryption at rest & in transit

AES-256 at rest on Supabase-managed Postgres, TLS 1.3 in transit on every connection. Keys rotated on a 90-day schedule.

Role-based access control

Three built-in roles — admin, estimator, viewer — plus granular project-level permissions. Full audit trail on every sensitive action.

HMAC-authenticated functions

Edge functions require HMAC signatures with timestamp-bound nonces. Replay attacks blocked; webhook endpoints locked to Procore origins.

CORS hardening

Strict origin allowlist per environment. Preflight caching disabled in sensitive routes. No wildcard CORS anywhere in the stack.

Security headers

CSP with nonce-based script-src. HSTS preloaded. X-Frame-Options: DENY. Referrer-Policy: strict-origin-when-cross-origin.

Infrastructure

Where your data lives.

Supabase · PostgreSQL

Managed Postgres with point-in-time recovery, 30-day backups, and row-level security enforced at every read and write.

Vercel edge

Global edge network for marketing + app. DDoS mitigation, automatic HTTPS, and region-pinned function execution for compliance.

Redundant backups

Daily encrypted backups to a separate region. Quarterly restore drills. 30-day retention, longer on Enterprise.

Compliance roadmap

Where we're headed.

SOC 2 Type IcompleteQ2 2026
SOC 2 Type IIin progressQ4 2026
SSO / SAML (Okta, Azure AD)in progressQ4 2026
HIPAA BAA (healthcare GCs)planned2027

Questions about security?

We're happy to share our architecture docs, SOC 2 status, and sub-processor list under NDA.

Contact UsBook a Demo