SOC 2 Type I scheduled
Annual audit engagement scheduled with a qualified firm. Type II observation begins immediately after Type I issuance. Report available to prospective customers under mutual NDA.
Security & complianceBuilt to the standard
Built to the standard
you seal reports with.
Your inspections carry legal weight. The tools that produce them should be held to the same standard.
AES-256 at rest
All data at rest encrypted by Supabase. TLS 1.2+ in transit with HSTS preload. OAuth tokens and PE signing-certificate passwords are AES-256-GCM encrypted.
US-only residency
Primary database and storage in us-east-1. No cross-border transfer by default. Enterprise customers can require residency commitments in their DPA.
Immutable audit log
Every admin action, key issuance, webhook delivery, and login attempt is written to an append-only audit log. Seven-year retention.
How we protect it
Access control, encryption, monitoring.
The specifics of how every inspection record, signed report, and customer conversation is scoped, protected, and observed.
Least privilege, scoped by org.
- Row-level security enforced at the database layer on every table.
- Admin and reviewer roles with discipline-level scoping.
- SAML 2.0 SSO via WorkOS; Okta, Entra, Google, generic SAML supported.
- SCIM directory sync for automated provisioning and deprovisioning.
- MFA available for all roles, required for admin.
- Failed-login lockout after five attempts in fifteen minutes.
At rest and in transit.
- Database and storage encrypted at rest by Supabase.
- TLS 1.2+ with HSTS preload for every public endpoint.
- OAuth refresh tokens and PE certificate passwords encrypted with AES-256-GCM using a key derived from the service-role secret.
- Signed PDF hashes stored immutably for public verification.
- No customer secrets committed to source control — enforced in CI.
Observable end to end.
- Real-time error and security alerting via Sentry.
- Structured JSON logs forwarded to a log drain with 90-day retention.
- PII auto-redacted before it reaches logs.
- API request log captures every public-API call with key, endpoint, status, and latency.
- Login attempts (success + failure) retained for seven years.
Data handling
What we collect, how long we keep it.
Audio + transcripts
Stored in your firm's isolated tenant. Exportable any time. Deleted on contract end.
Observations + reports
Row-level-security scoped by organization. Retained until you delete them. No cross-firm access is possible.
Style profile
Per-firm partition. Derived from your own reports. Deleted within 30 days of contract termination.
Login + audit events
Immutable. Retained for seven years to satisfy typical compliance and AHJ-dispute windows.
No AI training on customer data
Anthropic and OpenAI endpoints called under zero-retention terms. Customer voice and transcripts never contribute to shared models.
Model policy
What happens to your voice.
No training on your data
Your firm's audio, transcripts, and reports are never used to train shared models. Anthropic Claude and OpenAI Whisper are called under zero-retention endpoint terms.
Your style profile is yours
House-voice style profiles live in a per-firm partition. Cancel the contract and we delete the derived weights within 30 days.
Vendor transparency
We use Anthropic Claude (Haiku 4.5 for extraction, Opus 4 for draft) and OpenAI Whisper for speech-to-text. Both pipelines run under zero-retention terms.
Human review on request
Every draft is optionally routable to a senior reviewer or licensed PE before an inspector can seal. Configurable per project type.
Data flow
- 01JobsiteAudio + photos captured offline on device
- 02SyncTLS 1.2+ to Supabase on reconnect
- 03TranscribeWhisper · zero-retention endpoint
- 04ExtractClaude Haiku 4.5 · structured observations
- 05DraftClaude Opus 4 · firm-voice style
- 06SealPE cryptographic PDF signature (PAdES)
- 07ArchiveEncrypted at rest · exportable any time
Responsible disclosure
Found a security issue? Tell us first.
We acknowledge good-faith reports within one business day.