Trust

Security at PipeTakeoff.com

What we do to keep your isometric drawings, extracted BOMs, and billing data safe.

Encryption

Every connection to PipeTakeoff.com uses TLS 1.3. Customer data at rest — PDFs in object storage, rows in Postgres, audit logs, billing records — is encrypted with AES-256 by the underlying cloud providers. Secrets used by the application (API keys, database credentials, webhook signing keys) live in Doppler and are injected at deploy time; they never land in the repository, in CI logs, or in developer machines.

Tenant isolation

Every database row that belongs to a customer organization is protected by Postgres row-level security. The application sets the current organization on every transaction and the database rejects any read or write that crosses the boundary. A dedicated two-organization leak test runs on every pull request and on a nightly cadence; it attempts to access another tenant's data from every router boundary and fails the build if any path returns a single byte across the divide.

Access control

Authentication is handled by Clerk; multi-factor authentication is available to every customer and required for our team. Inside an organization, four roles — owner, admin, engineer, and viewer — gate every action. Role checks happen in the API layer; the UI mirrors them for clarity but is never the only enforcement point. We review production access quarterly.

Audit trail

Every state-changing action — uploads, commits, role changes, deletions, billing events — is recorded in an append-only audit log. Rows are insert-only at the database level: paired triggers reject any attempt to update or delete a row, regardless of which role attempts it. A SHA-256 hash chain links each row to its predecessor so a customer can verify, post-hoc, that the log has not been tampered with. Customer admins can export the log as CSV or JSON and replay the chain locally to confirm integrity. The export wire contract is documented and stable across PipeTakeoff.com versions.

Data retention

We keep audit logs for a minimum of seven years to match construction and EPC industry norms; the window is configurable upward for enterprise customers. Customer drawings and extracted BOMs are kept while your account is active; on termination, customer data is returned or deleted on request within 90 days, per the data processing agreement. The full retention schedule by data class is published alongside this page.

Full schedule: data processing agreement.

Subprocessors

We rely on a small set of third-party vendors to deliver the service — Clerk for identity, Cloudflare R2 for object storage, Anthropic for extraction, Stripe for billing, and others. Every vendor is listed publicly with the data they process and the region they operate in. We give customers 30 days notice before adding or removing a subprocessor.

See the full list: subprocessor disclosure.

Incident response

We monitor errors and logs continuously. If a security incident affects customer data, we will notify affected customers within 72 hours of confirming the incident, in line with the data processing agreement. Our incident response runbook defines the severity tiers, communication templates, and the post-incident review we conduct on every Sev-1.

Reporting a vulnerability

If you believe you have found a security vulnerability in PipeTakeoff.com, please email security@pipetakeoff.com with steps to reproduce. We will acknowledge receipt within one business day and keep you informed as we investigate. We do not pursue legal action against researchers who report in good faith.

Contact

General security questions: security@pipetakeoff.com. Privacy and compliance: privacy@pipetakeoff.com.