Security & Trust Center
How Caelum Build protects your construction data
AES-256
Encryption at rest
TLS 1.3
Encryption in transit
MFA
Multi-factor auth
GDPR
Data portability & deletion
Data Protection
| Encryption at rest | AES-256 (Fernet) on sensitive fields: documents, estimates, MFA secrets |
| Encryption in transit | TLS 1.3 enforced on all connections. HSTS with 2-year max-age. |
| Database isolation | PostgreSQL with per-application credentials. Connection pooling with pre-ping. |
| File storage | Uploads stored in object storage (S3/R2) with private ACL. Signed URLs for access. |
| Vector database | ChromaDB running in isolated network segment. No raw document text in queries. |
| Backup retention | Daily automated backups with 30-day retention. Point-in-time recovery. |
| AI data handling | Confidential data routed to local Gemma model — never leaves your infrastructure. Cloud AI receives only non-confidential prompts. |
Access Controls
Authentication
- TOTP-based multi-factor authentication
- Bcrypt password hashing (cost factor 12)
- Google & Microsoft SSO (OAuth 2.0 / OIDC)
- Session expiry (configurable, default 12 hours)
- Account lockout after repeated failures
Authorization
- Role-based access: admin / manager / estimator / superintendent / user
- Project-level RBAC: owner / manager / estimator / superintendent / viewer
- Plan-gated features (starter / professional / enterprise)
- API keys with read/write scope separation
- CSRF protection on all state-changing endpoints
Audit & Compliance
Audit Trail
- Immutable audit log for every user action
- Records: action, user, resource, timestamp, IP
- Admin export to CSV for compliance reviews
- Retained for minimum 12 months
Privacy Rights (GDPR / CCPA)
- Full data export (JSON) on request
- Account deletion with data erasure
- Email preference management
- No data sold to third parties
Infrastructure Security
Firewall
UFW with allow-list — only ports 22, 80, 443 open.
Intrusion detection
Fail2ban blocks IPs after repeated auth failures.
Rate limiting
Per-IP and per-user limits on all API endpoints.
Dependency scanning
Automated pip-audit in CI/CD pipeline.
Secret scanning
GitHub Secret Scanning on all pushes.
CSP / CORS
Strict Content-Security-Policy with per-request nonces.
Compliance Roadmap
| Standard | Status | Target |
|---|---|---|
| GDPR | In progress | Q3 2026 |
| CCPA | In progress | Q3 2026 |
| SOC 2 Type I | Planned | Q4 2026 |
| SOC 2 Type II | Planned | Q2 2027 |
| ISO 27001 | Evaluating | TBD |
Security Contact
To report a security vulnerability, please email security@caelumbuild.com. We aim to acknowledge reports within 24 hours and provide a fix timeline within 72 hours.
For enterprise security questionnaires or custom compliance requirements, contact enterprise@caelumbuild.com.