Security FAQ
Common security questions, answered.
The questions security teams + procurement officers ask most often. Detailed answers, with links to deeper material when relevant. For technical architecture detail, see the Security Deep Dive page.
Q&A
14 most-common security questions
- Where is customer data stored?
- All customer data is stored in AWS us-east-1 + us-west-2 with cross-region replication for redundancy. Backups stored in a separate AWS account with 7-year retention. EU and Canadian data residency on the roadmap; ask CSM for status if relevant.
- Is customer data used to train shared models?
- No. Customer drawings, takeoff data, and project metadata are NEVER used to train shared models. Each customer's recognizer is trained from that org's own annotations only; models do not cross tenant boundaries. Customers can opt into a platform-wide symbol-library improvement program; participation is per-feature, revocable, and surfaced in the admin console.
- What about third-party model providers like OpenAI or Anthropic?
- API calls to OpenAI / Anthropic / Gemini are made with zero-data-retention agreements (ZDR endpoints). Vendor data retention policies are reviewed annually + escalated to the Head of Compliance on any change. Customers can opt out of all third-party model providers; we fall back to in-house models with somewhat-lower accuracy ceilings on certain tasks.
- How is encryption handled at rest and in transit?
- AES-256-GCM at rest via AWS KMS with per-org data-encryption keys. TLS 1.3 in transit with HSTS preload. Internal service-to-service calls use mTLS with rotated short-lived certificates (24h validity). Customer-managed keys (BYOK) supported on Enterprise plans via AWS KMS / GCP CMEK / Azure Key Vault.
- How is tenant isolation enforced?
- Three layers of defense: Postgres row-level security policies on every table; bucket-level policies on object storage; worker-level org_id assertions on background jobs. A bug at any single layer is caught by the others. We have not had a cross-tenant data exposure incident to date; if one ever occurs, customers will hear from us first per the incident-response playbook.
- Is the audit log truly immutable?
- Yes. Append-only at the schema level (before-update triggers refuse mutation). Hash-chain validation on the audit row sequence makes redaction detectable. Replicated to write-once S3 with object-lock (governance mode) for 7-year compliance retention. Even platform engineers can't edit audit log entries.
- What's your SOC 2 status?
- Our SOC 2 program runs on an annual cadence with an independent audit firm. Specific attestation dates, findings counts, and the audit firm name are shared under NDA at /trust-center; we do not publicly claim certifications we have not yet earned. Penetration testing is engaged annually with an independent assessor.
- Are you GDPR + CCPA compliant?
- Yes. Right-to-access data export, right-to-erasure soft-delete with PII scrub, CCPA opt-out preference, data-processing addendum (DPA) endpoint. EU data residency on the roadmap; ask CSM for status. Standard SCC + DPA available; we'll sign yours or ours.
- Do you support SSO + SCIM?
- Pro: SSO via Google Workspace + Microsoft. Enterprise: SAML 2.0, OIDC, Okta, SCIM auto-provisioning. SSO enforcement (require-SSO-for-all-users) is a per-org admin toggle on Pro+; default for Enterprise.
- What happens if there's a data breach?
- We follow our incident-response playbook (linked from /trust-center). Customer notification timing is set to comply with GDPR Art. 33 / applicable state-law requirements / contractual SLAs (typically within 72 hours of confirmed breach, faster if customer-impacting). No customer-impacting breach has been reported to date; this line is reviewed and updated promptly if our incident-response posture changes. The playbook exists because mature security programs are built around the assumption that one day we will need it.
- Can we run our own pen test?
- Yes, on Enterprise plans. We accept customer-driven penetration tests with 30 days notice and a signed scope-of-work. We'll provide a non-production test environment + named security-team contact for the duration. Findings shared bi-directionally; we remediate within negotiated SLAs.
- What about federal procurement (FedRAMP, DoD ATO)?
- FedRAMP authorization is on the long-term roadmap. We do not have FedRAMP authorization today and we will not claim it until the authorization actually exists. In the interim, federal-adjacent customers can run OmniTakeoff under their own ATO with our security artifacts (SOC 2 attestations once available, architecture diagrams, audit-log evidence) supplied under NDA from /trust-center.
- Do you have cyber-insurance?
- Yes — cyber liability coverage with breach-response, business-interruption, and customer-notification clauses. Specific coverage limits and the Certificate of Insurance are shared with prospective enterprise customers under NDA from your CSM, rather than published on this page.
- How do customer security teams reach yours?
- Two channels: security@omnitakeoff.com for vendor-security-review questions (typical 3-business-day turnaround), and the customer Slack channel for real-time questions. Head of Compliance + Head of Engineering both respond on these channels.
Vendor security review?
3 business days
Send us your vendor-security-review form (CAIQ, SIG-Lite, SIG-Core, custom) and we'll return it within 3 business days during normal review cycles. Faster turnaround on Enterprise contracts. Available artifacts under NDA: SOC 2 Type II report, penetration-test summary, architecture diagrams, business-continuity plan, incident-response playbook, data-processing addendum, list of subprocessors.
Need something not listed?
Send the question; we'll answer it.
Security questions evolve faster than FAQs. If the answer to yours isn't above, write to security@. We add answers to this FAQ when the same question shows up multiple times — and we credit the asker (with permission) when we do.