Trust Centre

How we protect your construction project data, where it lives, and the controls our team operates every day. Updated continuously as our SOC 2 Type II programme matures.

Hosted in United States (primary) TLS 1.2+ in transit AES-256 at rest SOC 2 Type II in progress

Security Overview (PDF)

No NDA required · Updated June 2026

Request Full SOC 2 Report or Questionnaire

NDA-gated · 2 business day response SLA

Hosting & Infrastructure

Primary region

United States (primary)Replit cloud platform

Encryption in transit

TLS 1.2 / 1.3HSTS enforced, modern ciphers only

Encryption at rest

AES-256Database, object storage, backups

Secrets management

Platform secret storeNo secrets in source control

Network controls

CSRF, CORS, rate-limitingCloudflare-fronted reverse proxy

Authentication

Federated + email/passwordMFA enforced for admin accounts

Backups & Resilience

Backup cadence

Daily automatedPlus continuous WAL streaming for Postgres

Backup retention

30 days rollingEncrypted, off-region

RPO target

≤ 24 hoursEffective < 15 min via WAL streaming

RTO target

≤ 8 business hours

Disaster recovery test

QuarterlyRestore-to-staging drill, results logged

Public status page

/health endpointDatabase, cache, worker checks

SOC 2 Common Criteria — Programme Status

CC1 Control Environment — governance, code of conduct, security org chart

Live

CC2 Communication & Information — internal/external security comms

Live

CC3 Risk Assessment — annual risk review

In Progress

CC4 Monitoring Activities — control monitoring & deficiencies log

In Progress

CC5 Control Activities — policies operationalised in CI / runbooks

Live

CC6 Logical & Physical Access — RBAC, MFA, quarterly access reviews

Live

CC7 System Operations — monitoring, alerting, incident response

Live

CC8 Change Management — peer review, audited deploys

Live

CC9 Risk Mitigation — vendor management, BCP/DR drills

In Progress

Privacy, GDPR & Australian Privacy Act

GDPR (EU)

CompliantLawful basis recorded, DPA available, EU SCCs in place for sub-processors

Australian Privacy Act 1988

APP 1–13 mappedNotifiable Data Breaches Scheme — 72h regulator notice

Data deletion SLA

≤ 30 days from verified requestPrivacy Centre self-service · audit-logged

Data export

Self-service PDF / JSONAvailable from your Privacy Centre

Data Processing Agreement

Self-serviceSigned in your Privacy Centre under Art. 28 GDPR

Cookie consent

ePrivacy-compliantGranular consent · withdraw any time

Sub-processors

We use a small number of vetted sub-processors to deliver the platform. All hold their own SOC 2 / ISO 27001 attestation and have a signed DPA with us. Last reviewed: June 2026.

Sub-processor	Purpose	Region	Attestation
Replit	Application hosting & object storage	United States	SOC 2 Type II
Stripe	Payment processing (PCI delegated)	United States / Australia	PCI DSS L1, SOC 2
Cloudflare	CDN, WAF, DDoS protection	Global anycast	SOC 2 Type II, ISO 27001
Google (Firebase Auth)	End-user authentication	United States	SOC 2/3, ISO 27001/27017/27018
Google (Gemini AI)	AI features (opt-in)	United States	SOC 2/3, ISO 27001
Zoho Mail	Transactional email (outbound)	India / United States	SOC 2 Type II, ISO 27001
CloudMailin / ZeptoMail	Inbound email parsing	United Kingdom / India	SOC 2 Type II
ip-api.com	IP-based geolocation (anonymised)	European Union	GDPR processor terms

Monitoring & Incident Response

Application monitoring

Structured logs + Sentry-class captureErrors, slow queries, anomalies

Suspicious activity alerts

Real-timeFailed logins, IP velocity, privilege changes

Vulnerability scans

ContinuousDependency audit, SAST, secret scan in CI

Incident notification

Within 72 hoursPer APP NDB Scheme & GDPR Art. 33

Penetration testing

Annual third-partyPlus continuous internal review

Customer incident contact

security@constructionspilot.comAcknowledged within 1 business day

Available Documents

Security Overview PDF · No NDA
Privacy Policy Public
Terms & Conditions Public
Data Processing Agreement (DPA) Self-service in Privacy Centre
Full SOC 2 Type II Report NDA · Request below

Report a Security Issue

Found a vulnerability or have a security concern? Email security@constructionspilot.com — we acknowledge within 1 business day and follow a coordinated disclosure process.

Trust Centre last updated June 03, 2026.