Trust Center
Security, privacy, compliance — every control.
OmniTakeoff handles bid-day data for hundreds of contractors. Every control we've implemented, every audit we've passed, every subprocessor we use. Public page; no sales gate.
Security
Controls in production
What we've built and what we maintain. All controls documented in our SOC 2 control matrix.
Encryption at rest (AES-256)
In placeAll customer data encrypted at rest via AWS KMS-managed keys. Per-org key isolation on Enterprise tier.
Encryption in transit (TLS 1.3)
In placeAll HTTPS endpoints use TLS 1.3. Internal service traffic also TLS-encrypted via service mesh.
Postgres Row-Level Security (RLS)
In placeMulti-tenant isolation enforced at the database layer via PostgreSQL RLS policies. Defense-in-depth alongside app-layer org-scoping.
Audit logging
In placeEvery write operation produces an audit log entry with user, org, action, resource, IP, user-agent. Retained 7 years.
Authentication: 2FA + SSO
In placeTOTP 2FA for all users. SAML SSO + SCIM provisioning on Enterprise tier.
Penetration testing
In placeAnnual third-party penetration testing program. Findings are tracked + remediated; specific dates and reports are shared with customers under NDA rather than published.
Secret rotation
In placeAPI keys rotated quarterly. Database credentials rotated monthly via AWS Secrets Manager.
Vulnerability scanning
In placeSnyk + Dependabot scan all dependencies daily. Critical CVEs patched within 24 hours.
Compliance
Certifications + frameworks
SOC 2 program
In progressSOC 2 program is in progress with an independent audit firm. Pre-audit controls documentation + current attestation status shared under NDA.
GDPR data subject rights
In placeProduction endpoints for data export + deletion + access requests. 30-day SLA.
CCPA / CPRA compliance
In placeSec-GPC opt-out signal honored. Data-subject requests handled within statutory windows.
ISO 27001
PlannedOn the long-term roadmap. Not yet certified; we will not claim certification until the certificate is issued.
HIPAA Business Associate Agreement
In placeBAA available for healthcare customers. Stack already supports HIPAA-grade controls.
FedRAMP
PlannedOn the long-term roadmap for federal customers. Not yet certified.
Privacy
Data handling controls
Data residency
In placeAWS US-East + US-West by default. EU regions on Enterprise. Single-region deployment available with custom contract.
AI training opt-out
In placePer-org training only — we never train cross-org models on customer data. Anonymized aggregate metrics may inform product priorities.
Subprocessor list
In placePublic list of all subprocessors on this page. We notify customers 30 days before adding new subprocessors.
Data retention controls
In placeConfigurable retention policies per project. Default: indefinite for active projects, 7 years for archived. Customer-controlled.
Right to deletion
In placeSelf-serve org-deletion with 30-day grace period. Hard-delete on request.
Subprocessors
Third parties we use
We notify customers 30 days before adding new subprocessors. Live list updated when changes are made.
| Subprocessor | Purpose | Region |
|---|---|---|
| AWS | Infrastructure, storage, compute | US + EU |
| Anthropic (Claude) | AI consensus reconciler primary provider | US |
| OpenAI (GPT) | AI consensus reconciler secondary | US |
| Google (Gemini) | AI consensus reconciler tertiary | US |
| Stripe | Billing + payment processing | US |
| Sentry | Error monitoring + alerting | US |
| Datadog | Infrastructure monitoring + APM | US |
| Postmark | Transactional email delivery | US |
Reports + documentation
What we'll share
SOC 2 program
Current attestation status + available reports shared under mutual NDA. We don't publish specific completion dates because audit timing depends on the auditor's schedule.
Pen test summary
Executive summary of latest pen test (2026 Q1) under mutual NDA.
DPA
Data Processing Addendum at /legal/dpa. Standard contract clauses, GDPR-aligned.
Need a security review?
Email security@omnitakeoff.com
Most security questionnaires (CAIQ, SIG, custom) we can complete within 5 business days. Email with your timeline.