Enterprise Security

Your project data is our
highest priority.

Construction records are legal documents. Struxcor protects them with the same security standards used by banks and government agencies.

AES-256-GCM Encryption

All sensitive data is encrypted at rest using AES-256-GCM with unique initialization vectors and authentication tags. Data in transit is protected by TLS 1.3 with HSTS preloading.

Row-Level Security

800+ database policies enforce strict org-level data isolation. Every query is scoped to your organization — no data leaks between tenants, ever.

Multi-Factor Authentication

TOTP-based MFA with QR enrollment. Admins can enforce MFA org-wide for all team members. Failed attempts are rate-limited and logged.

Audit Logging

Every significant action — logins, data changes, exports, role changes, team invites — is logged with IP address, user agent, and timestamp. Searchable admin dashboard included.

SSO & SAML

Enterprise single sign-on via SAML 2.0 and OAuth. Integrate with your identity provider — Okta, Azure AD, Google Workspace, or any SAML-compliant IdP.

Rate Limiting & DDoS Protection

Three-tier rate limiting: edge-level IP throttling, per-org request quotas, and per-route limits. Auth endpoints are locked to 20 requests/minute to prevent brute force.

Content Security Policy

Strict CSP headers block XSS, clickjacking, and injection attacks. X-Frame-Options DENY, HSTS with preload, CORP, and restrictive script-src directives enforced on every response.

GDPR & Data Export

Full GDPR Article 15 compliance. Any user can export their complete data in one click. Rate-limited to prevent abuse, with every export request logged to the audit trail.

Session Management

JWT-based sessions with automatic expiry. Users can revoke all other sessions from their account settings. Admin visibility into active sessions across the organization.

Compliance & Certifications

SOC 2 Type II
GDPR compliant
CCPA/CPRA compliant
HSTS preloaded
TLS 1.3 enforced
Encrypted backups
90-day data retention on cancel
Role-based access control
IP-based audit trail
Automated vulnerability scanning
Responsible disclosure program
Data Processing Agreement available

Infrastructure & Architecture

Hosting & Network

  • Deployed on Vercel's edge network (AWS-backed)
  • Database hosted on Supabase (AWS us-east-1)
  • Automatic failover and point-in-time recovery
  • CDN-cached static assets with cache invalidation

Access Control

  • Role-based access: Admin, RE, Inspector, Viewer
  • Project-level permissions with team assignments
  • Invite-only team onboarding with email verification
  • Contractor portal with limited, scoped access

Data Protection

  • AES-256-GCM encryption at rest
  • TLS 1.3 encryption in transit
  • Encrypted database backups (daily)
  • 90-day read-only access after cancellation

Monitoring & Response

  • Real-time error tracking via Sentry
  • Automated uptime monitoring
  • security@struxcor.com for vulnerability reports
  • Responsible disclosure program

Questions about security?

Our team is happy to walk through our security architecture, provide our SOC 2 report, or complete your vendor security questionnaire.

Contact Security Team View DPA