Security & Privacy
Your Procore data is sensitive. That's why we built our platform to process your data while only storing the bare minimum for your own logs.
Security Framework
EU Data Residency
Our infrastructure and database (used for user & company ids only) are hosted in Frankfurt (Germany), ensuring full compliance with GDPR and local data residency requirements.
Double_lock security
We enforce double-lock security: users must be authorized in our app AND hold Admin permissions within the specific Procore tool to execute actions.
Stateless Architecture
We do not store your Procore project data. Our application acts as a secure "pass-through" bridge, processing actions while only temporarily logging activity log for debug & statistics purposes.
Secure Audit Delivery
All action logs and extracts are delivered via encrypted email (TLS). Activity logs are isolated per user and purged every 12 months or on demand.
Identity-Based Access
Login is handled exclusively through Procore OAuth 2.0. We never see or store your credentials, leveraging your existing security settings with Procore.
Encryption Everywhere
Data is protected by AES-256 encryption at rest and TLS 1.3 in transit, ensuring a secure tunnel between Procore and your browser.
Optional service account
Users can perform all actions with their own account and can optionnally opt-in for a service account for bulk updates. Service account tokens are never persisted and are immediately cleared after the action.
Strict Governance
Instance onboarding and user provisioning are restricted to a single master administrator, preventing any unauthorized Procore environments.
Infrastructure & Compliance
Our application is hosted on Render, leveraging a world-class infrastructure that inherits security capabilities from underlying providers (AWS/GCP), including physical data center security and network isolation.
By choosing Frankfurt (Germany) as our primary region, we ensure that all data processing adheres to the highest standards of privacy and European data protection laws.
Our security model is based on the Principle of Least Privilege. The application only requests the specific Procore permissions necessary to perform the task at hand.
Security FAQ
Do you store my Procore business data?
No. Our application only stores key connection metadata (user emails, Procore instance IDs) and activity logs (record IDs and timestamps) required for audit purposes. Your actual project data is processed in memory and is never stored. Activity logs are also transparently sent via email to the user after each action.
How are permissions managed?
We mirror Procore's permission model. If a user is not an Admin of a specific tool in Procore, they cannot use our application to bulk update/import records of that tool, even if they have access to our platform on this specific Procore instance.
Where is my data processed?
Everything is hosted on Render's secure infrastructure in Frankfurt, Germany. This ensures that data transit remains within the European Union, meeting strict regulatory standards.
Can I audit the actions performed through the app?
For every bulk action or extraction, an automated, detailed log report is sent via email to the user. This creates a permanent, searchable audit trail outside of our system. Activity logs in our system are purged every 12 months or on demand.
Do you have SOC2 or ISO 27001 certifications?
As a growing company, we haven't pursued formal certifications yet. However, we have designed our architecture to meet these standards from day one: we use SOC2-compliant infrastructure, enforce strict data isolation, and most importantly, we minimize risk by not storing your Procore business data and by handling loggin exclusively through Procore.