Features Pricing Blog About FAQ Sign in Start your project
SECURITY

Security at Opsite

Your construction data is your business. We protect it with industry-standard practices and clear documentation of who touches it.

Effective Date: May 16, 2026

Our Security Commitment

Opsite Solutions LLC is committed to protecting your data. As a construction management platform, we understand that you entrust us with sensitive business information including financial data, contracts, client details, and project documentation. We take this responsibility seriously and describe our practices honestly on this page.

Security Features

Encryption

  • TLS 1.3 encryption for all data in transit
  • AES-256 encryption for data at rest
  • HTTPS enforced on all connections
  • Encrypted database backups

Authentication

  • Secure password hashing (bcrypt)
  • Session token management
  • Automatic session expiration
  • Role-based access controls (RBAC)

Infrastructure

  • Hosted on Vercel's secure cloud platform
  • Built on SOC 2 Type II-compliant providers (Vercel, Supabase)
  • Automatic DDoS protection
  • Global CDN with edge caching

Data Protection

  • Supabase enterprise-grade storage
  • Automated daily backups
  • Multi-region data redundancy
  • Point-in-time recovery available

How We Handle Your Data

Data Isolation

Each contractor's data is logically isolated. Users can only access data for contractors they are explicitly authorized to view. Our role-based access control system ensures that team members only see what they need to do their job.

Third-Party Service Providers

We use a small set of vetted service providers to deliver core functionality. When you connect optional integrations like QuickBooks, we use OAuth 2.0 authentication; we never store your third-party passwords. The full subprocessor list with data categories and region is published in our Privacy Policy.

  • Vercel (hosting)
  • Supabase (database, files, auth)
  • Anthropic (AI / Lino)
  • Stripe (payments, OAuth 2.0)
  • Twilio (SMS)
  • Resend (email)
  • Upstash (vector storage)
  • Plausible (analytics; cookieless)
  • QuickBooks (OAuth 2.0)
  • Google Maps (API key)

AI & Machine Learning

Our AI features (document categorization, Lino assistant) process your data via Anthropic's Claude API to provide intelligent recommendations. This processing happens in real time and we do not use your data to train general-purpose AI models. Your business data remains private and is never shared with other customers.

File Storage

Documents, photos, and attachments uploaded to Opsite are stored in Supabase's enterprise cloud infrastructure. Files are encrypted at rest and in transit. Access is controlled through the same role-based permissions as other data.

Data Residency

All primary data is stored in the United States. Backups are stored in geographically separate U.S. regions for disaster recovery. We do not store customer data outside the United States unless specifically requested and agreed upon in writing. For Enterprise customers requiring specific data residency arrangements, please contact us at security@useopsite.com.

Compliance

Infrastructure SOC 2

Vercel and Supabase, our hosting and database providers, are SOC 2 Type II certified. Opsite is not independently SOC 2 certified at this time.

GDPR-aligned practices

Our data handling is designed to align with the principles of the EU General Data Protection Regulation. A Data Processing Addendum is available on request to enterprise customers.

CCPA-aligned practices

We honor data-subject access, deletion, and opt-out requests under the California Consumer Privacy Act and Global Privacy Control browser signals.

Our Security Practices

1. Security-First Development

We follow secure coding practices, including input validation, output encoding, parameterized queries, and regular code reviews focused on security.

2. Dependency Management

We regularly update dependencies and monitor for known vulnerabilities using automated security scanning tools.

3. Access Controls

Internal access to production systems is strictly limited, requires authentication, and is logged for audit purposes.

4. Incident Response

We have documented incident response procedures and will notify affected users promptly in the event of any security incident that may affect their data.

5. Penetration Testing & Vulnerability Assessment

We conduct annual third-party penetration testing of our application and infrastructure. Critical and high-severity findings are remediated within 30 days. We also perform continuous automated vulnerability scanning of our codebase and dependencies. Results of penetration tests are available to Enterprise customers under NDA upon request.

Business Continuity & Disaster Recovery

We maintain documented business continuity and disaster recovery plans. Key commitments include:

  • Automated daily backups with point-in-time recovery
  • Multi-region redundancy with automatic failover
  • Recovery Time Objective (RTO) of 4 hours for critical systems
  • Recovery Point Objective (RPO) of 1 hour for all customer data
  • Annual disaster recovery testing

Reporting Security Vulnerabilities

We take security vulnerabilities seriously. If you discover a potential security issue, please report it to us responsibly:

Email our security team: security@useopsite.com

Please include as much detail as possible about the vulnerability, including steps to reproduce. We commit to acknowledging reports within 48 hours and will work with you to understand and resolve the issue promptly.

Responsible Disclosure Program

We welcome security researchers to report vulnerabilities through our responsible disclosure program. We commit to:

  • Acknowledging reports within 48 hours
  • Providing an initial assessment within 5 business days
  • Not pursuing legal action against researchers who act in good faith and comply with this policy
  • Recognizing researchers in our security hall of fame (with permission)

Please report vulnerabilities to security@useopsite.com with the subject line "Security Vulnerability Report."

Your Security Responsibilities

Security is a shared responsibility. To help keep your account secure:

  • Use a strong, unique password for your Opsite account
  • Never share your login credentials with others
  • Log out of shared or public computers
  • Report any suspicious activity to our support team immediately
  • Keep your device and browser up to date
  • Be cautious of phishing attempts - we will never ask for your password via email

Insurance Coverage

Opsite maintains cyber liability insurance and errors & omissions (E&O) insurance policies appropriate for a technology platform handling sensitive business data. Details of coverage are available to Enterprise customers upon request.

Questions?

If you have any questions about our security practices, please contact us:

Security inquiries: security@useopsite.com

General support: support@useopsite.com

Privacy concerns: privacy@useopsite.com