G’day! It looks like you’re in Australia     

You're currently on BuildPass’ USA site.

See content specific to your location by switching to the Australian site.

Switch to the Australian site
It looks like you’re in Canada 🇨🇦

For content, pricing and features tailored to your region please click below.

Switch to your local site
Looks like you’re in the United States!     

You're currently on BuildPass’ Australian site.

For content, pricing, and features tailored to the US, switch to the US site.

Switch to the US site

BuildPass Information Security

For any security concerns, please email security@buildpass.ai

Overview

At BuildPass, given the significance of the data we transact on, we employ strict access control and robust data storage measures to ensure security and compliance.

All our US data is stored in Amazon Web Services (AWS) US-East-2 (Ohio), utilizing best practice security measures, including encryption at rest (storage) and in transit (transmission). Our services are tightly secured with access controls. We use industry-proven authentication services such as Auth0 and Clerk, ensuring only authorised individuals have access to sensitive data.

Additionally, all images are securely stored, with most requiring access keys for retrieval to prevent unauthorised access. In cases where public accessibility is necessary, images are made available via unique, GUID-based URLs that are cryptographically generated and difficult to guess, ensuring security while allowing controlled access.

We conduct frequent internal security audits, drawing from best practices established at REA Group and SEEK, to ensure compliance with security, privacy, and data protection standards, safeguarding all customer data.

Data Storage

1. What type of data is stored or given access to?

BuildPass stores and processes the following types of data:

  • Basic profile data (first name, last name, emails)
  • Low-level medical information (e.g., allergen information for construction site safety purposes)
  • Project management information
  • Site documentation and records
  • Images and documentation related to construction activities

2. Where is the data stored?

Data is stored in AWS US-East-2 (Ohio) region through Neon database service.

3. What are the security standards of the data warehouse?

Our data storage follows AWS security standards and best practices. We use Neon as our database provider, which implements comprehensive security measures including:

Database Security:

  • SOC2 compliance and working toward ISO27001 certification
  • AES-256 encryption for data at rest on NVMe SSD volumes
  • Required SSL/TLS encryption with verify-full SSL mode support for all connections
  • Secure password enforcement with 60-bit entropy for all Postgres roles
  • Neon Proxy that guards against unauthorized login attempts
  • IP allowlist support to limit access to trusted IP addresses
  • Protected branches feature to prevent accidental deletion of critical data

Infrastructure Security:

  • Hosting in secure AWS data centers
  • Data segmentation and isolation using VPCs and Security Groups
  • Fine-grained access control via IAM
  • Comprehensive data access logging and auditing

4. What kind of logging is there for usage/creation/deletion/modification of data?

We maintain comprehensive, tamper-proof logging for all data operations:

  • All data changes are captured in immutable audit logs
  • Database-level logging through Neon providing point-in-time recovery capabilities
  • Activity logs for administrative actions with digital signature capabilities
  • Error and access logs for security monitoring

5. Are there any data backups or snapshotting? On what interval?

  • Automatic backups with 14-day retention period
  • Point-in-time recovery capability down to the second
  • Full recovery and snapshot capabilities within the 14-day window

6. What are your data retention policies?

Our data retention practices align with our Privacy Policy and regulatory requirements:

  • Inductions and HR Records are retained for the duration of the customer's active account
  • Project documentation and records can be retained for 7+ years to meet regulatory requirements
  • Operational logs and analytics are retained and purged periodically based on business needs
  • Audit logs are maintained for security and compliance purposes in accordance with industry best practices

User Access

1. How do users sign-in / authenticate?

BuildPass supports multiple authentication methods depending on user type:

  • Administrators/Construction Professionals: Email and password authentication
  • On-site Workers: Mobile phone number authentication
  • Enterprise Plans: Can enable additional options including social sign-ons or custom MFA solutions

2. What SSO options are available?

  • Standard plans do not currently include SSO options
  • Enterprise plans can enable social sign-ons and custom SSO integrations
    • SAML, OIDC, and EASIE.

3. Is MFA available?

  • Standard plans: Not available by default
  • Enterprise plans: MFA can be enabled through preferred provider

4. How are licenses/accounts provisioned and deprovisioned?

  • Manual invitation process for admins (email, name)
  • Account costs recalculated monthly or according to annual contract terms
  • Deprovisioning handled through central user management interface within BuildPass

5. How are permissions to different data sets managed? How granular are the permissions?

BuildPass offers several permission levels by default:

  1. Owner: Ultimate access to all data and functionality across all projects
  2. Manager: Full access to all projects data, cannot modify owner access
  3. Project Manager: Access limited to specifically assigned projects

Additional granular permissions are available for specific features:

  • Custom roles for modules like defects and site diaries
  • Granular permissions for view, create, update, and archive actions
  • Enterprise customers can request additional custom permission schemes

6. Can user access be centrally managed?

Yes, BuildPass provides central management for:

  • Adding/removing administrators and accounts
  • Viewing and managing on-site workers and contractors
  • Managing project-specific access

7. Can access to specific features or data be restricted based on user roles?

Yes, we support role-based access control:

  • Project managers can be limited to specific projects
  • Custom roles can restrict access to specific modules (currently defects and site diaries)
  • View-only access can be configured for specific features
  • Granular permissions for specific actions (view, create, update, archive)

External Sharing

1. Are there any features that allow for sharing of data externally?

Yes, optional AI features.

a. What are these features?

BuildPass offers optional features that involve external data sharing:

  • AI-powered features that process data using services from OpenAI, Anthropic, and Google
  • These features are opt-in and can be granularly controlled through settings

b. How are they centrally managed or secured?

  • All external sharing features can be managed through BuildPass settings
  • Admin-level controls to enable/disable specific integrations
  • Data processing follows industry security standards

c. Can external sharing be audited by admins?

Individual API calls to external services are not directly auditable by customers, but admins can:

  • Control which features are enabled/disabled
  • Turn off external integrations entirely if preferred

Applications / Services

1. Are there any applications that require device installations?

Yes, an optional BuildPass on site worker app

a. Can these applications write, modify, or delete data on the device?

No, the BuildPass app does not modify device data. It may:

  • Upload photos taken for documentation, defect reporting, or quality analysis
  • Use device storage temporarily for offline functionality

b. What is the scope of where/when/how it works with on-device data?

  • Requires internet connectivity for most functions
  • Limited offline functionality for checklists and quality analysis
  • Can be configured to sync only when on Wi-Fi for data-intensive features
  • Offline data is synchronized when internet connectivity is restored

2. Is there a status page for when application or services are up or down?

Not currently available. We are evaluating implementation of a public status page.

3. How often are services down?

BuildPass maintains high availability standards, with 99.998% uptime over the past year. Specific SLAs can be provided upon request for enterprise customers.

4. Is customer data shared with third parties? If so, what specific data is shared and with which services?

BuildPass shares limited data with the following services:

  • PostHog (analytics platform): User activity, page access, error tracking
  • HubSpot (CRM): Customer relationship data
  • Intercom (support chat): User information for support purposes
  • Datadog/Sentry: Error and performance monitoring data

All third-party sharing complies with our Privacy Policy.

API Integration and Security

1. Is there an available API?

Yes, available at developer.buildpass.global

a. Are API calls logged and monitored for unusual activity?

Yes, all API activities are:

  • Comprehensively logged
  • Monitored for anomalies and unusual patterns
  • Subject to automated security alerts

b. Are there rate-limiting or throttling mechanisms in place for API requests?

Yes, API requests are rate-limited to:

  • 100 requests per 10 seconds per IP address
  • Response headers include:
    • X-Rate-Limit-Limit: Maximum requests allowed
    • X-Rate-Limit-Remaining: Requests remaining in current period
    • X-Rate-Limit-Reset: Timestamp when limit resets

Incident Response

1. Within what timeframe do you disclose data breaches?

BuildPass follows US regulatory requirements for breach notifications:

  • We adhere to the principle of notification "without unreasonable delay"
  • We comply with all applicable state and federal regulations
  • Specific timeframes may apply depending on the nature of the data involved and relevant regulations

In practice, we aim to provide notifications as soon as possible after detection and assessment, typically within days rather than weeks. Our incident response plan includes immediate containment, assessment, and notification procedures to ensure timely communication with affected users.

Additional Security Information

Is BuildPass SOC2 or ISO 27001 Certified?

BuildPass is currently undergoing SOC2 certification with Assurance Labs. Upon completion, we plan to pursue ISO 27001 certification to further strengthen our security posture.

NYC Department of Buildings (DOB) Compliance

For customers operating in New York City, BuildPass fully complies with DOB Bulletin 2024-007 requirements for digital record-keeping systems:

  • Tamper-proof logs with immutable audit trails
  • Verifiable digital signatures with certificate-based authentication
  • Multi-factor authentication (available on enterprise plans)
  • 7-year data retention with on-site availability and offline access
  • Mobile and tablet-based field access with timestamped reporting and digital sign-offs

These features are actively used by our customers across high-compliance environments where robust security and regulatory compliance are non-negotiable.

General Terms

Our commitment to privacy and data security is outlined in our official policies:

For any further security-related inquiries, please contact our team at security@buildpass.ai