End-to-End Encryption
Data encrypted at rest (AES-256) and in transit (TLS 1.3). Encryption keys are tenant-scoped — your data is cryptographically isolated from all other tenants.
Enterprise Security Architecture
Security built into every layer
BuildIQ applies a defence-in-depth architecture to protect construction project data — from the network perimeter to the database row. Designed for government contractors, publicly listed companies, and regulated enterprises.
GDPRISO 27001 AlignedSOC 2 ReadinessOWASP Top 10NIST SSDFCIS Controls v8
Architecture
Defence-in-depth: five security layers
No single control is relied upon to prevent a breach. Each layer operates independently so that a failure in one does not expose the next.
1
L1 — Perimeter
TLS 1.3 in transit, HTTP security headers (CSP, HSTS, X-Frame-Options), rate limiting on all public endpoints.
2
L2 — Authentication
JWT-based auth with short-lived tokens, refresh rotation, and session invalidation on suspicious activity.
3
L3 — Authorisation
RBAC enforced at the API service layer. Row-Level Security as a secondary guard at the database layer. Both must pass.
4
L4 — Data
AES-256 at rest, tenant-scoped encryption keys, configurable isolation tiers from shared-RLS to dedicated database.
5
L5 — Observability
Append-only audit trail, platform-wide security posture dashboard, anomaly detection, and incident response playbooks.
Security controls
Security is a design constraint at BuildIQ — not a feature added after the fact.
Role-Based Access Control
Granular RBAC with 12+ construction-specific roles. Permissions enforced at the API service layer — UI access is a secondary guard, not the primary control.
Configurable Tenant Isolation
Choose your isolation model: shared schema with row-level security, schema-per-tenant, dedicated database, or on-premise. Each tier provides stronger data boundaries to match your compliance requirements.
Immutable Audit Trail
Every action — user, AI agent, or system — is written to an append-only audit trail. Records are timestamped, actor-attributed, and exportable for compliance and forensic review.
Support Access Controls
Zero standing access for support staff. Time-limited, org-approved access grants are fully audited. No Syvanto staff can access your data without an explicit grant you control.
Data Residency & Sovereignty
Choose your hosting region (AU, EU, US, APAC). Data never crosses jurisdictional boundaries without your explicit authorisation. Suitable for government and regulated-industry deployments.
Vulnerability Management
Published remediation SLAs
Every vulnerability identified through third-party testing, dependency audit, or responsible disclosure is prioritised against a binding internal SLA.
24–48 hours
Critical
7 days
High
30 days
Medium
60–90 days
Low
Secure Development Lifecycle (aligned with NIST SSDF)
Threat modelling integrated into release quality gates
Annual third-party penetration test (external attack surface)
Dependency audit on every CI run (Trivy + npm audit)
Responsible disclosure programme with acknowledgement SLA
Security-gated deployment pipeline — no release without RAE sign-off
Post-incident reviews with root cause and remediation evidence
AI Governance
Responsible AI, built in from day one
AI agents introduce a new attack surface. BuildIQ addresses it with architectural controls — not just policy statements.
No External AI Training
Your project data is never used to train third-party AI models. BuildIQ AI operates on your data — not from it.
Agent Action Governance
Every AI agent action is logged, explainable, and reversible. No undocumented decisions. Every recommendation carries a confidence score and audit reference.
Human-in-the-Loop Gates
Consequential agent actions — cost approvals, scope changes, risk escalations — require explicit human confirmation before execution.
LLM Prompt Isolation
System prompts and tenant context are strictly scoped per tenant. Cross-tenant prompt injection is architecturally blocked, not just filtered.
API Security
OWASP API Security Top 10 alignment
All BuildIQ APIs are designed against the OWASP API Security Top 10 threat model. Penetration testing exercises the full API surface, not just the UI.
API1
Broken Object Level Auth
Per-resource ownership check on every endpoint
API2
Broken Authentication
JWT validation via shared dependency injection
API3
Broken Object Property Auth
Pydantic schemas enforce field-level access rules
API4
Unrestricted Resource Consumption
Rate limiting (SlowAPI) + paginated list endpoints
API5
Broken Function Level Auth
Platform vs tenant role checks on all platform routes
API7
Server-Side Request Forgery
Outbound integration allowlist (in progress)
API8
Security Misconfiguration
HTTP security headers + CORS allowlist enforced
API9
Improper Inventory Management
API versioning enforced; deprecated endpoints removed
Compliance & certifications
GDPR
EU General Data Protection Regulation — data residency, DPA, and right-to-erasure controls in place
ISO 27001 Aligned
Information security management system controls aligned with ISO/IEC 27001:2022
SOC 2 Readiness
SOC 2 Type II assurance framework readiness programme in progress
OWASP Top 10
Annual third-party penetration testing against OWASP Top 10 and OWASP API Security Top 10
NIST SSDF
Secure software development practices mapped to NIST Secure Software Development Framework tasks
CIS Controls v8
CIS Controls v8 Implementation Group 1 controls addressed across asset management, logging, and access
Need a security questionnaire, penetration test report, or data processing agreement? Contact our security team →