Trust center
Last updated: 2026-05-04
Everything you need to evaluate Buildra for your business — system status, sub-processors, compliance, data residency, and legal documents. For an in-depth walkthrough of our security controls, see the security page. For procurement questionnaires or a custom security review, email security@buildra.app.
1.System status
Real-time service status and historical incident reports will be published at status.buildra.app (currently in progress — public launch planned alongside SOC 2 Type 1). The status page will report uptime, current incidents, planned maintenance, and integration health for each sub-processor.
In the meantime, severity-1 incidents are communicated by email to account admins within 30 minutes of detection.
2.Uptime commitment
Our target service availability by plan tier:
- Solo — best-effort, no formal SLA.
- Builder — 99.9% monthly uptime target.
- Pro — 99.9% monthly uptime target.
- Business — 99.95% monthly uptime target with a formal customer SLA on request (see Section 8).
Planned maintenance is announced at least 48 hours in advance via in-app banner and email, and scheduled during low-traffic windows (typically Sundays, 02:00-05:00 US-Pacific).
3.Sub-processors
Buildra uses the following third-party sub-processors to deliver the service. We update this list at least 30 days before adding or removing any sub-processor; subscribe to updates at security@buildra.app.
| Sub-processor | Role | Region | Certifications |
|---|---|---|---|
| OpenAI | AI chat and text embeddings | US | SOC 2 Type 2; zero-retention API agreement |
| Anthropic | Claude AI chat (optional, Pro/Business) | US | SOC 2 Type 2; zero-retention API agreement |
| Pinecone | Vector search index for plan retrieval | us-east-1 | SOC 2 Type 2 |
| Cloudflare | R2 object storage, Workers, CDN | Global (R2 stored in US region) | ISO 27001, SOC 2 Type 2 |
| Vercel | Application hosting and edge network | us-east-1 | ISO 27001, ISO 27018 |
| Railway | Managed MySQL primary database | us-east-1 | SOC 2 Type 2 |
| Stripe | Payment processing and subscription billing | US | PCI-DSS Level 1, SOC 1, SOC 2 |
| Resend | Transactional email delivery | US | SOC 2 Type 2 |
| PostHog | Product analytics (optional, off by default) | US | SOC 2 Type 2 |
4.Compliance roadmap
- SOC 2 Type 1 — target attestation Q3 2026. Currently in active control implementation with our auditor.
- SOC 2 Type 2 — target attestation Q1 2027, based on a 6-month observation window starting after the Type 1 attestation.
- ISO 27001 — evaluation in progress; decision on scope and timeline expected late 2026.
- GDPR & CCPA — compliant today for data-subject rights and lawful basis for processing.
- HIPAA — not in scope. Buildra is a construction-industry product, not a healthcare product, and we do not sign BAAs.
5.Data residency
All customer data is stored in the United States today — primary region us-east-1 across Vercel, Railway, Pinecone, and Cloudflare R2. EU-based customers can use Buildra today; data simply transits to and is stored in the US under our standard contractual clauses.
EU residency (data stored in eu-west-1) is on the roadmap as a Business-tier add-on, planned alongside ISO 27001 evaluation. Contact sales@buildra.app to register interest.
6.Privacy & legal documents
- Terms of Service — the legal agreement governing your use of Buildra.
- Privacy Policy — how we collect, use, share, and protect personal data.
- Refund Policy — 14-day money-back on monthly, 30-day on annual.
- Data Processing Addendum (DPA) — template available on request for customers who require one for GDPR Article 28 compliance.
- Standard Contractual Clauses (SCCs) — included as an exhibit to the DPA for transfers from the EU/UK.
Need a signed copy of any of the above for procurement? Email legal@buildra.app and we will return a counter-signed PDF within 2 business days.
7.Vulnerability disclosure
We welcome responsible disclosure of suspected security issues. Report findings to security@buildra.app. We commit to:
- Acknowledging receipt within 1 business day.
- Triaging and confirming the issue within 5 business days.
- Coordinated disclosure on a default 90-day timeline (we will negotiate extensions for complex fixes).
- Crediting researchers in our public hall of fame (with permission) and offering a token of thanks within our budget. A formal paid bug bounty program is on the roadmap.
Please do not test against other customers' data, perform social-engineering attacks on Buildra staff, or run denial-of-service tests against production infrastructure.
8.Customer SLA
A formal customer-facing service-level agreement is available on request for Business tier customers. Standard terms include:
- 99.95% monthly uptime guarantee.
- Service credits of 10-30% of monthly fees if uptime falls below target, depending on severity.
- Severity-based response SLAs: 30-minute response for severity 1, 4-hour for severity 2, 1 business day for severity 3.
- 24/7 incident response coverage.
Email sales@buildra.app for a copy of the SLA template.
9.Insurance
Buildra maintains general commercial liability and professional liability (E&O) coverage. A cyber liability policy is in active procurement; carrier and policy limits will be published here once bound (target Q3 2026 alongside SOC 2 Type 1).
Certificates of insurance are available to Business tier customers on request via legal@buildra.app.
Talk to security
Have a security questionnaire, audit request, or specific compliance question? Email security@buildra.app and we will route to the right person. For sales-engineering and procurement help, write sales@buildra.app.