Security at Buildra

In transit. Every connection to Buildra — web app, API, file uploads, integrations — is served exclusively over TLS 1.2 or higher. HSTS is enabled at the edge with a one-year max-age and includeSubDomains. We disable older protocols (SSL 3, TLS 1.0/1.1) and weak cipher suites.

At rest. The primary database (MySQL on Railway) uses InnoDB tablespace encryption with AES-256. Object storage on Cloudflare R2 uses server-side AES-256 encryption on every object. Vector embeddings in Pinecone are encrypted at rest by Pinecone (AES-256). Backups inherit the same encryption.

Key management.Encryption keys are managed by the respective infrastructure providers (Railway, Cloudflare, Pinecone), rotated automatically per their published schedules. Application secrets (API keys, signing keys) live in Vercel's encrypted env store and are accessible only to production workloads. Customer-managed keys (BYOK) are on the roadmap for Business tier customers.

Passwords. User passwords are hashed with bcrypt (cost factor 12) and never stored in plaintext. Password minimums are enforced: 10 characters, with checks against the Have-I-Been-Pwned breach corpus to block known-compromised passwords.

Sessions. Authentication uses short-lived JWT access tokens (15-minute expiry) paired with rotated refresh tokens (7-day expiry, one-time-use rotation). Tokens are stored in HTTP-only secure cookies. Suspicious refresh-rotation patterns invalidate the entire session family and force re-login.

Two-factor authentication. TOTP-based 2FA is available on every plan, compatible with Google Authenticator, Authy, 1Password, and any standards-compliant TOTP app. Account admins on Business tier have 2FA required by default. Backup codes are issued at setup. SMS 2FA is intentionally not offered — it is phishable and SIM-swappable.

Role-based access. Every project enforces per-project, per-user roles: admin, project manager, superintendent, trade, and owner. Roles restrict which actions a user can take (uploading plans, approving change orders, sending payments, etc.) and which fields they can see. SSO via SAML/OIDC is available on Business tier.

When we send data to AI providers. Plans and project content are sent to OpenAI or Anthropic only when an authenticated user explicitly asks a question or requests an AI action. We never proactively send your data for batch indexing or background processing beyond what is necessary to fulfill your request.

No training on customer data. Buildra does not train AI models on customer data — full stop. Our API agreements with both OpenAI and Anthropic include zero-retention provisions: submitted prompts and completions are not used to train their models and are not retained beyond the 30-day abuse-monitoring window required by their policies.

Embeddings. To enable semantic search across your plans we generate text embeddings (numerical vectors) and store them in Pinecone (us-east-1). Embeddings cannot be reversed into the original text. They are stored under a per-account namespace and deleted when the source content is deleted.

Opting out. Customers on Business tier can opt out of AI features entirely; the account continues to work without chat, AI summaries, or AI-driven nudges. Reach out to security@buildra.app to enable this.

Buildra runs on managed cloud infrastructure in US-East 1. The sub-processors we rely on are individually certified or attested:

• Vercel — application hosting and edge network; ISO 27001, ISO 27018.
• Railway — managed MySQL primary database; SOC 2 Type 2.
• Cloudflare R2 — object storage for plan files and photos; SOC 2 Type 2.
• Pinecone — vector index for AI retrieval; SOC 2 Type 2.
• Stripe — payment processing and subscription billing; PCI-DSS Level 1.

Production access to infrastructure is gated by SSO + 2FA and granted on a least-privilege basis. Production database access is audit-logged. We do not maintain shared admin credentials.

Database backups. The primary MySQL database is backed up automatically every 24 hours, with point-in-time recovery available across a rolling 7-day window. Backups are encrypted with AES-256 and stored in a separate region from production.

Object storage. R2 has object versioning enabled on the production bucket; deleted or overwritten objects are recoverable for 30 days. Bucket-level access is restricted to the production Vercel workload via signed credentials.

Recovery objectives. Our internal targets are RTO (recovery time objective) of 1 hour for full-region database failover and RPO (recovery point objective) of 24 hours (in practice we expect much less — point-in-time recovery makes most scenarios near-zero RPO). DR drills are run quarterly.

Audit log. Every meaningful action — file uploads, decisions, RFI responses, schedule changes, budget edits, user invites, role changes, and all admin actions — is recorded with user identity, timestamp, IP address, and user agent. Logs are append-only; no user (including Buildra staff) can alter historical entries. Logs are retained for 2 years and exportable by account admins.

Application monitoring. Real-time error tracking is provided by Sentry. Performance and availability are monitored continuously; PagerDuty pages the on-call engineer for severity-1 incidents around the clock. Public status will be available at status.buildra.app (in progress).

SOC 2. Buildra is currently in active preparation for SOC 2 Type 1, with target attestation in Q3 2026. SOC 2 Type 2 is targeted for Q1 2027. We will share the reports under NDA with prospective Business customers as soon as the Type 1 attestation is issued.

GDPR & CCPA. We honor all data-subject rights under GDPR (access, rectification, erasure, portability, restriction) and CCPA (right to know, delete, opt-out of sale). We do not sell personal data — period. A signed DPA (Data Processing Addendum) is available on request for customers who require one; the template is at /dpa.

HIPAA. Buildra is a construction-industry product, not a healthcare product. We are not HIPAA-covered and do not sign BAAs. Do not upload protected health information.

We take security reports seriously and welcome responsible disclosure. A formal bug bounty program is on our roadmap; in the meantime please report any suspected vulnerabilities via email to security@buildra.app.

PGP. For sensitive reports our PGP key fingerprint is TBD — published before SOC 2 Type 1 attestation. We commit to acknowledging receipt within 1 business day, triaging within 5 business days, and coordinating disclosure on a 90-day timeline by default. Researchers who follow responsible disclosure will be credited in our hall of fame (with their permission).