Enterprise-Grade Security
Your data protection is our top priority. Here's how we keep your information safe.
Encryption
- AES-256 encryption at rest for all stored data
- TLS 1.3 for all data in transit
- Encrypted database backups with separate key management
- End-to-end encryption for sensitive document transfers
Access Control
- Role-based access control (RBAC) with granular permissions
- Single Sign-On (SSO) and SAML 2.0 support
- Multi-factor authentication (MFA) for all accounts
- Comprehensive audit logging of all access events
Infrastructure
- Hosted on AWS with SOC 2 certified data centers
- Multi-Availability Zone deployment for high availability
- Auto-scaling infrastructure to handle demand spikes
- DDoS protection via AWS Shield Advanced
Compliance
- SOC 2 Type II certified (since September 2025)
- GDPR compliant with appointed DPO
- CCPA compliant for California residents
- Regular third-party compliance audits
Penetration Testing
- Quarterly penetration tests by independent third-party firm
- Responsible disclosure program for security researchers
- Bug bounty program with competitive rewards
- Automated vulnerability scanning on every deployment
Incident Response
- 24/7 security monitoring and alerting
- 1-hour response SLA for critical security incidents
- Post-incident reviews with root cause analysis
- Customer notification within 72 hours of confirmed breach
SOC 2 Type II Certified
VerifiedElkConstruct achieved SOC 2 Type II certification in September 2025, demonstrating our commitment to the highest standards of data security, availability, and confidentiality. This certification is the gold standard for SaaS security compliance and is independently verified by a qualified third-party auditing firm.
Our SOC 2 Type II report covers all five Trust Service Criteria established by the American Institute of Certified Public Accountants (AICPA):
- Security: Protection of system resources against unauthorized access, including network and application firewalls, multi-factor authentication, and intrusion detection systems.
- Availability: Accessibility of the system as stipulated by our service level agreements, backed by our multi-AZ infrastructure and automated failover capabilities.
- Processing Integrity: System processing is complete, valid, accurate, timely, and authorized, ensuring your estimates and bids are processed correctly.
- Confidentiality: Information designated as confidential is protected as committed, with encryption and strict access controls throughout the data lifecycle.
- Privacy: Personal information is collected, used, retained, disclosed, and disposed of in conformity with our commitments and applicable regulations.
We undergo annual SOC 2 audits conducted by an independent certified public accounting firm. The full SOC 2 Type II report is available to Enterprise plan customers under a non-disclosure agreement. To request a copy, please contact [email protected].
Data Center Infrastructure
Our infrastructure is built on Amazon Web Services (AWS), leveraging enterprise-grade data centers with the highest levels of physical and network security.
Primary Region
AWS us-west-2 (Oregon)
All production workloads, databases, and primary storage
Backup Region
AWS us-east-1 (Virginia)
Cross-region replication, disaster recovery, and failover
6 hr
Backup Interval
<1 hr
Recovery Point Objective
99.99%
Uptime SLA
Compliance Certifications & Standards
We maintain compliance with industry-leading security standards and regulations to ensure your data is always protected. Our compliance program is continuously evolving to meet emerging requirements.
Report a Security Issue
If you believe you have discovered a security vulnerability in our platform, please report it responsibly. We take all reports seriously and will respond promptly.
[email protected]Request SOC 2 Report
Enterprise customers can request a copy of our latest SOC 2 Type II report under NDA. Contact our compliance team to get started.
[email protected]