Security

Last Updated: December 15, 2024

1. Data Encryption

1.1 Encryption in Transit

All data transmitted between your browser and our servers is protected using:

• TLS 1.3: The latest Transport Layer Security protocol
• Perfect Forward Secrecy: Unique session keys prevent retrospective decryption
• HSTS: HTTP Strict Transport Security enforces secure connections
• Certificate Transparency: All certificates are logged for verification

1.2 Encryption at Rest

All stored data is encrypted using:

• AES-256: Advanced Encryption Standard with 256-bit keys
• Key Management: Hardware Security Modules (HSMs) for key storage
• Database Encryption: Transparent data encryption for all databases
• Backup Encryption: All backups are encrypted with separate keys

2. Infrastructure Security

2.1 Cloud Infrastructure

Our platform is hosted on enterprise-grade cloud infrastructure with:

• SOC 2 Type II Certified: Data centers with audited security controls
• Geographic Redundancy: Data replicated across multiple availability zones
• Network Isolation: Virtual private clouds with strict network segmentation
• DDoS Protection: Automated detection and mitigation of attacks

2.2 Network Security

• Web Application Firewall (WAF): Protection against common web exploits
• Intrusion Detection: Real-time monitoring for suspicious activity
• IP Allowlisting: Available for Enterprise customers
• Private Connectivity: VPN and private link options for Enterprise Plus

3. Access Control

3.1 Authentication

• Multi-Factor Authentication (MFA): Required for all accounts
• Single Sign-On (SSO): SAML 2.0 and OAuth 2.0 support (Enterprise tiers)
• Password Requirements: Strong password policies enforced
• Session Management: Automatic timeout and secure session handling

3.2 Role-Based Access Control (RBAC)

Granular permissions allow you to control who can:

• View, edit, or delete projects
• Access specific documents or estimates
• Manage users and permissions
• Export data and generate reports
• Configure organization settings

3.3 Administrative Controls

• User Provisioning: SCIM support for automated user management
• Access Reviews: Tools to audit and review user permissions
• Deprovisioning: Immediate access revocation upon termination

4. Audit Trail and Logging

4.1 Comprehensive Audit Logs

We maintain detailed logs of all platform activity:

• User Actions: Login, logout, document access, estimate creation
• Administrative Actions: User management, permission changes, settings updates
• Data Access: Who accessed what data and when
• Export Events: All data exports are logged

4.2 Log Retention

• Standard: 90 days of audit log retention
• Enterprise: 1 year of audit log retention
• Enterprise Plus: Configurable retention up to 7 years

4.3 Log Access

Authorized administrators can:

• Search and filter audit logs
• Export logs for compliance reporting
• Set up alerts for specific events
• Integrate with SIEM systems (Enterprise Plus)

5. Data Protection

5.1 Data Isolation

• Tenant Isolation: Complete separation of customer data
• Logical Separation: Database-level isolation between organizations
• Processing Isolation: Dedicated processing resources for document analysis

5.2 Data Retention and Deletion

• Configurable Retention: Set retention policies per project or organization
• Secure Deletion: Cryptographic erasure ensures data cannot be recovered
• Right to Erasure: GDPR-compliant data deletion upon request

5.3 Backup and Recovery

• Automated Backups: Daily encrypted backups
• Point-in-Time Recovery: Restore to any point within retention period
• Geographic Redundancy: Backups stored in separate regions
• Recovery Testing: Regular backup restoration testing

6. Application Security

6.1 Secure Development

Our development practices include:

• Security-First Design: Security requirements in all feature specifications
• Code Review: Mandatory peer review for all code changes
• Static Analysis: Automated scanning for vulnerabilities
• Dependency Scanning: Continuous monitoring of third-party libraries

6.2 Vulnerability Management

• Penetration Testing: Annual third-party penetration tests
• Bug Bounty: Responsible disclosure program for security researchers
• Patch Management: Critical vulnerabilities patched within 24 hours
• Security Updates: Regular security patches and updates

6.3 API Security

• API Authentication: OAuth 2.0 and API key authentication
• Rate Limiting: Protection against abuse and denial of service
• Input Validation: Strict validation of all API inputs
• API Versioning: Stable APIs with deprecation notices

7. Compliance and Certifications

7.1 Regulatory Compliance

CapexIQ is designed to help you meet regulatory requirements:

• PIPEDA: Personal Information Protection and Electronic Documents Act (Canada)
• PIPA: Personal Information Protection Act (Alberta)
• GDPR: General Data Protection Regulation (European Union)

7.2 Industry Standards

• SOC 2 Type II: Annual audit of security controls (in progress)
• ISO 27001: Information security management (roadmap)
• OWASP: Adherence to OWASP Top 10 security guidelines

7.3 Data Residency

For customers with data residency requirements:

• Canadian Data Residency: Data stored and processed in Canada
• Regional Options: Contact us for specific regional requirements

8. Incident Response

8.1 Incident Management

Our incident response process includes:

• 24/7 Monitoring: Continuous security monitoring and alerting
• Incident Classification: Severity-based response procedures
• Response Team: Dedicated security incident response team
• Post-Incident Review: Root cause analysis and remediation

8.2 Breach Notification

In the event of a security incident affecting your data:

• Notification within 72 hours of confirmed breach
• Detailed information about the incident and affected data
• Steps taken to contain and remediate the incident
• Recommendations for protective measures

9. Employee Security

9.1 Personnel Security

• Background Checks: All employees undergo background verification
• Security Training: Mandatory security awareness training
• Confidentiality Agreements: All employees sign NDAs
• Least Privilege: Access limited to job requirements

9.2 Access to Customer Data

• Customer data access is strictly controlled and logged
• Access requires explicit business justification
• All access is reviewed and audited regularly
• Production data access requires manager approval

10. Physical Security

Our cloud infrastructure providers maintain:

• 24/7 Security: On-site security personnel and surveillance
• Access Control: Biometric and multi-factor authentication
• Environmental Controls: Fire suppression, climate control, power redundancy
• Visitor Management: Strict visitor access procedures

11. Business Continuity

11.1 Disaster Recovery

• Recovery Time Objective (RTO): 4 hours for critical systems
• Recovery Point Objective (RPO): 1 hour maximum data loss
• Failover: Automated failover to secondary systems
• DR Testing: Annual disaster recovery exercises

11.2 Service Level

• Uptime Target: 99.9% availability
• Status Page: Real-time service status updates
• Maintenance Windows: Scheduled maintenance with advance notice

12. Enterprise Security Features

Additional security capabilities for Enterprise and Enterprise Plus customers:

13. Security Contact