Infrastructure
The BuilderPad platform runs on AWS in multi-AZ regions, with PostgreSQL on RDS, S3 for media, and Redis for queue + cache. Our marketing site runs on Vercel. We rely on providers with SOC 2 Type II and ISO 27001 attestations.
— Security at BuilderPad
Built on practices your security team will recognize.
BuilderPad is built for builders who can't compromise on how project, financial, and homeowner data is handled. Here's how we protect it - end to end.
TLS 1.2+ / AES-256
Encryption
In transit and at rest
Data protection
100%
MFA
On all production access
Access control
24/7
Incident response
Monitoring + on-call
Response ready
Never sold
Third-party data
Tenant-isolated by design
Privacy first
— Security program —
Nine areas. One connected program.
Encryption
All data is encrypted in transit over TLS 1.2+ and at rest using AES-256. Secrets are stored in a centralized secret manager, never in source control, and rotated on a regular schedule.
Access controls
Access to production systems follows least-privilege principles, is restricted to a small on-call group, and requires single sign-on with mandatory multi-factor authentication. All production actions are audit-logged.
Application security
Every change is reviewed, tested, and run through automated checks - lint, type-check, unit and integration tests, dependency scanning, and secret scanning - before it reaches production. High-risk surfaces such as auth, billing, and data access receive additional adversarial review.
Operational security
Automated backups, infrastructure-as-code deployments, health monitoring, error tracking, and alerting keep the platform observable. Incident-response runbooks cover detection, triage, communication, and remediation, with post-incident reviews for every significant event.
People and access
Team members sign confidentiality agreements and receive security training. Production data access is granted on a need-to-know basis and revoked promptly when roles change. Workstations require disk encryption, screen lock, and managed endpoint protection.
Monitoring and logging
Structured audit logs, uptime monitoring, and anomaly detection run continuously. Unusual authentication, export, or data-access patterns trigger alerts to the on-call team.
Data handling
Project, financial, and homeowner data is isolated per builder account and never used for cross-customer purposes. We do not sell personal information. On termination, customer data is returned or deleted in accordance with our Terms of Service and Data Processing Addendum.
Compliance and privacy
BuilderPad supports obligations under GDPR, UK GDPR, CCPA/CPRA, and other US state privacy laws. Our Data Processing Addendum is available on request and we sign it for enterprise customers who require one.
— Compliance and privacy —
We meet you where your legal team is.
BuilderPad supports privacy obligations for builders working with homeowner, project, vendor, and financial data. We keep the paperwork direct, current, and available during procurement.
GDPRUK GDPRCCPA / CPRADPA available on request
— Responsible disclosure —
Found a vulnerability? Tell us.
Found a vulnerability? Email us and we'll acknowledge within two business days, triage, and keep you updated through remediation.
security@builderpad.com— FAQ —
Frequently asked.
Where is my data hosted?
Production workloads run on AWS in US multi-AZ regions, with PostgreSQL on RDS for primary data and S3 for media storage. We use providers with SOC 2 Type II and ISO 27001 attestations and can provide a current subprocessor list on request. Our marketing site is hosted on Vercel.
Do you support SSO?
Single sign-on is on our roadmap for team and enterprise plans. If SSO is a requirement for your procurement process, email security@builderpad.com and we'll share current timing.
Can I sign a DPA with BuilderPad?
Yes. Our Data Processing Addendum is pre-signed on our side and incorporated by reference into our Terms of Service. For enterprise customers who require a counter-signed copy, contact security@builderpad.com.
What happens to my data if I cancel?
You can export your data at any time. On cancellation, we return or delete customer personal data on request, subject to limited retention required by law. Backups expire on our standard backup retention schedule.
Do you offer a security questionnaire or documentation package?
Yes - email security@builderpad.com with your procurement or vendor-review questionnaire and we'll turn it around within a few business days.
How do I report a vulnerability?
Email security@builderpad.com with as much detail as you can share. We appreciate responsible disclosure and will acknowledge receipt within two business days.