Security Policy | StructionSite

Security Policy

How Does StructionSite Keep Your Business Secure?

Protecting Customer Data

At StructionSite our approach to security is simple: Your data belongs to you, and we take the job of protecting it very seriously. We aim to be transparent about how we do that by providing a security overview here.

Data Encrypted in Transit and at Rest

All traffic between mobile device applications, web browsers, backend servers, and databases are secured with industry-standard 2048-bit encryption. This means all sensitive data is kept incredibly safe while in transit.

Photos and images, team communications, and all other customers data are also encrypted in transit and at rest. They are not shared with anyone but designated collaborators on a project.

Data and files on the mobile device are secured according to the corporate policy of the company owning the device, for example, requiring passcodes to unlock the device, and encrypting all stored data while it is locked. Once uploaded to our secure servers, the original files are removed from the device.

Your files, photos, and other media are at least as secure as anywhere else they are stored on the phone/device.

Data Storage and Removal

Customer data is removed as soon as it is deleted or expires. This is why we advise our customers to make backups or export their data to another file management system before deleting it on StructionSite. Current customers should always contact us when in doubt.

Secure Login with Password

A password is required to log in to or the StructionSite mobile app. Your unique password is encrypted using SSL when sent to our servers, and is encrypted with a hash function on the server.

Logging into the StructionSite mobile app always requires the user to enter their password, and we don’t provide an option to “save” the password after logging out on the mobile app.

Only the person created who created their password knows what it is. We never transmit or store passwords in plain text, and we can not read or decrypt them ourselves. This is why we require a customer to rest their password when it is forgotten.

Controlled Access

StructionSite offers enhanced access controls to data. Different user permission levels allow for control over who can access data, and who can give others access to information.

Project administrators can manage certain types of access to shared data. For example, when you generate public share links to view photos, the administrator can globally turn those off.

Our mobile app also allows for the ability to securely transfer and remove photos from the hardware upon capture, to prevent unwanted leakage of sensitive project imagery.

Safety in the Cloud

Depending on Google and Amazon to solve our core infrastructure problems allows StructionSite to focus on our customers and solving their problems. Google and Amazon employ teams of physical security staff and digital security engineers so we don’t have to.

Read more about how each of our cloud providers solve security in general:

Google Security Model

AWS Security Practices

Native Mobile Development Philosophy

We believe in developing native mobile experiences, not only for better performance but the well-known security enhancements that come with being able to leverage a mobile operating systems’ security protocols.

We choose to develop on native iOS to leverage best-in-class security tools to minimize vulnerabilities which can be exposed in non-native development frameworks.

fedRAMP compliance for high-security projects via GovCloud

Upon customer request, we allow for storage, and transfer of all data between FedRAMP compliant servers for federal projects.

The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that delivers a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. The governing bodies of FedRAMP include the Office of Management and Budget (OMB), US General Services Administration (GSA), US Department of Homeland Security (DHS), US Department of Defense (DoD), National Institutes of Standards & Technology (NIST), and the Federal Chief Information Officers (CIO) Council.

Cloud service providers who want to offer their products and services to the US government must demonstrate FedRAMP compliance. FedRAMP uses the NIST Special Publication 800 series and requires cloud service providers to receive an independent security assessment conducted by a third-party assessment organization (3PAO) to ensure that authorizations are compliant with the Federal Information Security Management Act (FISMA). For more information, see the FedRAMP website.

Further Questions? Please Ask!

We hope this overview shows how committed StructionSite is to keeping our customers data secure. This is just an overview, so please contact us with any further questions!