Security

Your data is our responsibility

BuildWorkPro is engineered with security at every layer of the stack. Your project data, financial records, contracts, and business information are protected by enterprise-grade controls designed specifically for the construction industry.

TLS 1.3
Encryption in transit
AES-256
Encryption at rest
2FA + RBAC
Authentication & access
Row-level
Tenant data isolation

Encryption

  • TLS 1.3 enforced for all data in transit — no fallback to older protocols
  • AES-256 encryption for all data at rest, including database storage and file uploads
  • Database backups encrypted at rest and stored with geographic redundancy
  • Passwords hashed using bcrypt with industry-standard cost factors — never stored in plaintext or reversible form
  • Sensitive tokens (2FA secrets, reset codes) encrypted before storage

Authentication & Access Control

  • Two-factor authentication (TOTP) available for all user accounts
  • Role-based access control (RBAC) with five permission tiers: Administrator, Manager, Member, Field Crew, and Viewer
  • Over 30 granular permissions across 10 resource areas — each API endpoint enforces permission checks at the middleware layer
  • Configurable session timeouts: 24-hour idle expiration, 30-day maximum session lifetime
  • Automatic account lockout after repeated failed authentication attempts
  • OAuth 2.0 integration with Google and Apple for secure single sign-on

Infrastructure Security

  • Hosted on enterprise-grade cloud infrastructure with managed database services
  • Automated daily backups with point-in-time recovery capability
  • DDoS protection and intelligent rate limiting at the network edge
  • Network isolation, firewall rules, and restricted access to production systems
  • Regular infrastructure patching and automated security updates
  • Centralized secrets management — credentials are never stored in source code, environment files, or application repositories

Application Security

  • CSRF protection enforced on every state-changing API endpoint
  • All user inputs validated and sanitized at the API boundary using schema-based validation (Zod)
  • SQL injection prevention via parameterized queries (Drizzle ORM) — no raw SQL concatenation
  • XSS mitigation through output encoding and Content Security Policy (CSP) headers
  • Automated dependency vulnerability scanning on every build
  • API key authentication for REST API integrations with per-key permission scoping

Multi-Tenant Data Isolation

  • Row-level tenant isolation — every database query against business data is scoped to your organization at the middleware layer
  • Architectural enforcement: tenant context is required (not optional) for every business data operation — queries without tenant scoping are rejected, never silently returned
  • Separate file storage partitions per organization — documents are stored under tenant-specific paths and validated on every access
  • Complete audit trail of all data access and modification events, including user identity, timestamp, and affected resources
  • Cross-tenant data access is architecturally impossible through the application layer

Compliance & Operational Practices

  • Soft delete architecture: deleted records are retained with a recovery period before permanent removal — no accidental, irreversible data loss
  • Configurable data retention policies managed by organization administrators
  • Full data export in standard, machine-readable formats (CSV) and via REST API for data portability
  • Data Processing Agreement (DPA) available upon request for GDPR, UK GDPR, and other regulatory compliance
  • Regular internal security reviews, code audits, and threat modeling exercises
  • Billing records retained for 7 years per U.S. federal and state tax regulations

Our Commitment to Data Protection

Construction businesses entrust BuildWorkPro with sensitive operational data — bid amounts, project financials, subcontractor relationships, pay application records, and proprietary cost structures. We treat this responsibility with the same gravity as handling privileged information.

Our multi-tenant architecture ensures that your organization’s data is never commingled with another organization’s data. Every database query, every API request, and every file access is scoped to your tenant at the infrastructure level. This is not a configuration option — it is an architectural invariant enforced at the middleware layer.

We are transparent about our security practices because we believe that informed customers make better decisions about the tools they trust with their business. If you have questions about any aspect of our security posture, we welcome the conversation.

Responsible Disclosure

If you discover a security vulnerability in the BuildWorkPro platform, we encourage you to report it responsibly. We are committed to investigating and addressing all legitimate security reports promptly. Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to remediate it.

Report a Vulnerability

Security reports: security@buildworkpro.com · Please include a detailed description of the vulnerability, steps to reproduce, and any supporting evidence. We will acknowledge receipt within 48 hours.

Ready to run your sub business the right way?

Join specialty contractors who are winning more bids, getting paid faster, and growing their business with the platform built for subs.

Pre-launch access available for select contractors.