Construction-grade
AI security.
Your bid strategies, labor rates, and project financials are trade secrets. Buildalytic is built to keep them that way. Every query is scoped to your organization. Your data never trains our AI models. We never sell your data.
Infrastructure & Data Protection
Data Isolation
Every database query in Buildalytic is scoped to your organization. Your project data, bid numbers, labor rates, and compliance documents are never accessible to another customer. Not through the UI, not through the API, not through AI. This is enforced at the application layer through our multi-tenant architecture and verified through automated testing on every deployment.
Encryption
All data transmitted between your browser and our servers is encrypted using TLS 1.3 with HSTS enforced on every endpoint. All customer data at rest, including call recordings, certified payroll reports, invoices, and database records, is encrypted using AES-256. Encryption keys are managed through cloud-native key management services with automatic rotation.
Infrastructure
Buildalytic runs on enterprise-grade cloud infrastructure on AWS with PostgreSQL databases, automated failover, continuous monitoring, and DDoS protection. Production environments are isolated within private networks. Automated daily backups with point-in-time recovery are encrypted and stored in geographically separate regions. We target 99.9% uptime.
Access Controls
User authentication is managed through JWT-based session tokens with support for multi-factor authentication. Access to features and data within each organization is controlled through role-based permissions. Internal access to production systems is restricted to authorized personnel with MFA, logged, and reviewed.
Application Security
Our development process includes mandatory code review, automated testing, and dependency scanning on every pull request. Third-party dependencies are monitored for known vulnerabilities and critical patches are applied promptly. All user input is validated and sanitized to prevent injection attacks, cross-site scripting, and other OWASP Top 10 vulnerabilities.
Incident Response
We maintain continuous monitoring and alerting across all production systems. Our incident response follows a structured process: detection, containment, investigation, remediation, and post-incident review. In the event of a data breach affecting your information, we will notify affected customers within 72 hours of confirmation, in compliance with CCPA requirements.
AI Security
Buildalytic uses AI to read documents, verify compliance, and power voice interactions. Your data is your intellectual property. Bid strategies, labor rates, project financials, and employee information remain proprietary and are never shared across customers.
Your data never trains our models
Buildalytic uses AI models from Anthropic (Claude), Google (Gemini), and OpenAI to process documents, analyze compliance, and power voice interactions. None of these providers train their models on your data. Your bid strategies, labor rates, project financials, and employee information are never used to improve models that serve other customers.
AI assists, never acts
Buildalytic AI reads documents, flags compliance issues, and generates reports. It does not autonomously submit bids, approve change orders, authorize payments, or alter financial data. Every AI output is presented for human review before action is taken. Your team stays in control.
Permission-aware processing
AI features respect your existing access controls. A project manager sees AI insights scoped to their projects. A foreman's voice daily log is only accessible to authorized users in their organization. AI never crosses organizational boundaries. The same multi-tenant isolation that protects your database protects your AI interactions.
In-context only
When you upload a certified payroll report or a sub's invoice, the AI processes it in the context of your request and returns the result. It does not retain the document for future use beyond what is stored in your account. There is no shared memory across customers. Your data enters, your result exits, nothing leaks.
Voice & Call Data
Buildalytic handles inbound and outbound phone calls, voice daily logs, and SMS messaging. All voice data is treated with the same rigor as financial and compliance data.
Call recordings
Voice calls handled by Buildalytic (inbound receptionist, outbound outreach, voice daily logs) are recorded with caller consent and encrypted at rest using AES-256. Recordings default to 90-day retention with configurable longer periods. You can delete recordings at any time.
Transcription processing
Voice calls are transcribed in real-time using Deepgram (Nova-2) for speech recognition. Transcripts are stored encrypted within your organization's account. Transcription providers do not retain your audio data after processing.
TCPA compliance
All outbound calling through Buildalytic enforces TCPA compliance: calling window restrictions, Do Not Call list management, opt-out handling, and consent tracking. Our SMS messaging is A2P 10DLC registered and compliant with CTIA guidelines.
Data Handling & Ownership
You retain full ownership of your data. We process it only to provide our services. Your data is never sold to third parties. Upon account termination, you may request a full data export within 30 days. All subprocessors are vetted for security practices and bound by data protection agreements.
Subprocessors
The following third-party services process customer data on behalf of Buildalytic. All subprocessors maintain their own security certifications and are bound by data protection agreements.
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud infrastructure, PostgreSQL database, file storage | United States |
| Vercel | Frontend hosting and edge network | United States |
| Anthropic | AI document analysis and compliance checking (Claude) | United States |
| Google Cloud | AI document parsing and vision extraction (Gemini) | United States |
| OpenAI | Text embeddings for document search | United States |
| Vapi | Voice AI call orchestration | United States |
| Deepgram | Speech-to-text transcription | United States |
| ElevenLabs | Voice synthesis for AI calls | United States |
| Twilio | Phone numbers and SMS messaging | United States |
| Resend | Transactional email delivery | United States |
Compliance & Certifications
Current compliance
Buildalytic is CCPA / CPRA compliant for California consumer data rights. Our SMS and voice communications comply with TCPA regulations, CTIA guidelines, and A2P 10DLC registration requirements. Our infrastructure providers (AWS, Anthropic, Google Cloud, OpenAI) all maintain SOC 2 Type II, ISO 27001, and additional certifications.
Security roadmap
We chose to build security-first from day one rather than retrofit it later. Our multi-tenant architecture, encryption practices, and AI data handling policies are designed to meet enterprise requirements from the start.
Frequently Asked Questions
Can other contractors see my project data?
No. Every database query is scoped to your organization. There is no shared data layer between customers. Your projects, bids, financials, employees, and compliance documents are invisible to every other Buildalytic customer.
Does AI learn from my bid numbers or labor rates?
No. We use Anthropic Claude, Google Gemini, and OpenAI for AI processing. All three providers have enterprise data processing agreements that prohibit using customer data for model training. Your bid strategies, wage rates, and project financials are never used to train models.
How is certified payroll data protected?
Certified payroll reports contain employee PII (names, SSN fragments, addresses, wage rates). This data is encrypted at rest (AES-256) and in transit (TLS 1.3), scoped to your organization, and accessible only to authorized users with appropriate role permissions. AI processes CPR data for compliance checking but does not retain it beyond your account.
What happens to my data if I cancel?
Upon account termination, you may request a full data export within 30 days. After the export window, all customer data including project records, documents, call recordings, and AI-generated reports are permanently deleted from our systems and backups within 90 days.
Who at Buildalytic can access my data?
Access to production systems is restricted to authorized engineering personnel with multi-factor authentication. All access is logged and reviewed. Customer data is never accessed without explicit permission from your organization, except as required to resolve a support request you initiate.
What happens to my voice recordings?
Call recordings are encrypted at rest, stored within your organization's account, and subject to your retention settings (default 90 days). Recordings are never shared across customers. Transcription providers (Deepgram) process audio in real-time and do not retain it. You can delete any recording at any time.
Do you have SOC 2 certification?
We are actively pursuing SOC 2 Type II certification. Our infrastructure providers (AWS, Anthropic, Google Cloud, OpenAI) all maintain SOC 2 Type II certifications. We have implemented the security controls required by SOC 2 and are in the formal audit process. We are happy to share our current security posture documentation upon request.
Can you fill out our security questionnaire?
Yes. We maintain a master security questionnaire response document and can complete standard formats (SIG, CAIQ, HECVAT, or custom) within 5 business days. Contact raja@buildalytic.com to initiate.
Security Contact
To report a security vulnerability, request our security posture documentation, or submit a security questionnaire, contact us directly. We respond to all security inquiries within 2 business days.