Today we're announcing that ElkConstruct has successfully completed our SOC 2 Type II audit, conducted by an independent third-party auditing firm. This certification validates that our security controls, data handling practices, and operational procedures meet the rigorous standards established by the American Institute of Certified Public Accountants for service organizations.
For our customers, this certification means that an independent auditor has examined our systems and processes over a continuous 12-month period and confirmed that we are doing what we say we're doing to protect your data. Unlike SOC 2 Type I, which evaluates controls at a single point in time, Type II examines the operating effectiveness of those controls over an extended period.
Construction estimating data is commercially sensitive. Your cost databases, markup structures, subcontractor relationships, and bid strategies represent core competitive intelligence. A data breach or unauthorized access to this information could cause significant business harm. We take this responsibility seriously, and the SOC 2 Type II certification is the most widely recognized way to demonstrate that commitment to enterprise customers.
Here's what our security posture includes. All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.3. Customer data is logically isolated at the database level, meaning no customer can ever access another customer's information even in the unlikely event of an application-level vulnerability. We maintain comprehensive access controls with role-based permissions, multi-factor authentication, and session management.
Our infrastructure runs on geographically distributed cloud servers with automatic failover and disaster recovery capabilities. We maintain a Recovery Point Objective of one hour and a Recovery Time Objective of four hours. Regular backups are encrypted and stored in a separate geographic region from our primary infrastructure.
Our security program includes continuous vulnerability scanning, annual penetration testing by an external firm, and a formal incident response plan with defined escalation procedures. All employees undergo security awareness training upon hiring and annually thereafter. Access to production systems is restricted to essential personnel and requires multi-factor authentication with hardware security keys.
We've also implemented SOC 2 controls around our software development lifecycle. Code changes go through peer review, automated testing, and staged deployment with rollback capabilities. We maintain a formal change management process that documents the purpose, risk assessment, and approval for every production change.
For enterprise customers with specific compliance requirements, we offer additional security features: single sign-on integration with SAML 2.0, custom data retention policies, dedicated infrastructure options, and detailed access audit logs that can be exported for your own compliance documentation.
The SOC 2 Type II report is available to current and prospective customers under NDA. Contact our sales team to request a copy. We view this certification not as a finish line but as a baseline. Our security program continues to evolve as threats change and as our customers' compliance requirements expand.