Short, honest answers about how we handle your data.
We'll skip the trust-center theater. Here's what's true today, what isn't, and what's in progress.
Type 1 audit in progress with an independent auditor. Target completion Q3 2026. We are not claiming we are SOC 2 compliant today - because we aren't yet.
Customer data is hosted on AWS in us-east-2 (Ohio). Data never leaves the region. Database and object storage both encrypted at rest with AWS KMS.
Automated daily backups with 30-day retention. Quarterly restore drills to a clean environment. Backups encrypted at rest with a separate KMS key.
SSO via Google Workspace and Microsoft Entra ID. Role-based access control with named roles (estimator, precon manager, admin, read-only). Session timeouts configurable per customer.
Annual third-party penetration test. Report available under NDA to prospective customers doing procurement review.
Customer-impacting incidents are communicated within four business hours of confirmation. Post-incident write-up is shared in plain English, not a template.
Every customer can export their data as CSV or JSON at any time, without asking us. If you leave, you take your data with you - no exit tax.
We are not currently HIPAA or FedRAMP compliant. If your work involves PHI or federal data classification, we are not the right tool for you yet. We'd rather tell you that up front than walk you into a procurement review that will fail.