Security & Compliance

Last updated: January 20, 2026

1. Security Overview

Builddesk is built on Cloudflare's secure, globally distributed infrastructure. Our architecture is designed to provide:

• High availability and resilience
• Data encryption in transit and at rest
• Access controls and authentication
• Comprehensive audit logging
• Multi-tenant data isolation

2. Infrastructure Security

2.1 Cloud Hosting

Builddesk is hosted on Cloudflare Pages and Workers, a global edge network with built-in security features:

• DDoS Protection: Automatic mitigation of distributed denial-of-service attacks
• WAF (Web Application Firewall): Protection against common web vulnerabilities (SQL injection, XSS, etc.)
• CDN Security: Content delivered through Cloudflare's secure edge network
• High Availability: Cloudflare's globally distributed edge network provides industry-leading availability and performance

2.2 Data Centers

Cloudflare operates data centers across multiple continents with:

• ISO 27001 certified facilities
• SOC 2 Type II compliance
• Physical security controls (access logs, surveillance, biometric access)
• Redundant power and network connectivity

3. Data Protection

3.1 Encryption

Data in Transit:

• All connections use TLS 1.2+ encryption (HTTPS)
• Perfect Forward Secrecy (PFS) enabled
• Strong cipher suites (AES-256, ChaCha20)

Data at Rest:

• Database encryption using industry-standard algorithms
• Encrypted backups
• Passwords hashed using bcrypt (never stored in plaintext)

3.2 Multi-Tenant Isolation

Each customer's data is logically isolated at the database level:

• Tenant-specific data access controls
• Row-level security policies
• No cross-tenant data leakage
• Separate backup and recovery per tenant

4. Access Controls

4.1 Authentication

We employ strong authentication mechanisms:

• Email + Password: Passwords must meet complexity requirements
• Two-Factor Authentication (2FA): Optional TOTP-based 2FA for super admin accounts; tenant-level 2FA enforcement available for Enterprise customers
• Session Management: Secure session tokens with expiration and rotation
• Account Lockout: Protection against brute-force attacks

Additional authentication controls may be introduced for all user roles as the platform evolves.

4.2 Authorization

Role-based access control (RBAC) ensures users can only access data they're authorized to see:

• Owner: Full admin access to tenant data and settings
• Admin: Manage users, projects, and settings (no billing access)
• Project Manager: Manage assigned projects and tasks
• Field User: View and update tasks, upload photos, create issues
• Member: View-only access to assigned projects
• Client: Limited portal access to project updates

5. Application Security

5.1 Secure Development Practices

We follow secure coding practices and industry standards:

• Input validation and sanitization
• Parameterized queries (SQL injection prevention)
• XSS (Cross-Site Scripting) protection
• CSRF (Cross-Site Request Forgery) tokens
• Content Security Policy (CSP) headers
• Regular dependency updates and vulnerability scanning

5.2 Audit Logging

Comprehensive activity logs track:

• User logins and authentication events
• Project and data modifications
• Permission changes
• Admin actions
• Failed access attempts

Logs are retained for compliance and forensic analysis (Enterprise plan includes detailed audit reports).

6. Payment Security

Builddesk does not store credit card numbers or CVV codes.

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Stripe:

• Encrypts card data using AES-256
• Tokenizes payment methods
• Complies with PCI DSS requirements
• Provides fraud detection and prevention

We only store:

• Customer billing email
• Last 4 digits of card (for display purposes)
• Card brand (Visa, Mastercard, etc.)
• Expiration date

7. Data Backup and Recovery

We maintain regular, encrypted backups to ensure data availability:

• Automated Daily Backups: Database snapshots every 24 hours
• Retention Policy: Backups are retained according to our internal retention schedule and are automatically overwritten within a maximum of 90 days
• Disaster Recovery: Ability to restore data in the event of catastrophic failure
• Point-in-Time Recovery: Restore data to a specific point in time (Enterprise plan)

Note: Backups are for disaster recovery purposes. We do not provide backup restoration as a substitute for accidentally deleted data unless it's an Enterprise plan feature.

8. Incident Response

8.1 Security Incident Handling

In the event of a security incident, we follow a defined process:

1. Detection & Triage: Identify and assess the severity of the incident
2. Containment: Isolate affected systems to prevent further damage
3. Investigation: Determine root cause and scope of impact
4. Remediation: Fix vulnerabilities and restore normal operations
5. Notification: Inform affected customers as required by law (typically within 72 hours under GDPR)
6. Post-Incident Review: Document lessons learned and improve security posture

8.2 Customer Notification

If a security incident affects your data, we will:

• Notify you via email within 72 hours of discovery
• Provide details about the incident, affected data, and mitigation steps
• Offer support and guidance for any necessary actions on your part

9. Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a potential security issue, please:

• Do not exploit the vulnerability or access data beyond what's necessary to demonstrate the issue
• Do not publicly disclose the vulnerability before we've had a chance to address it
• Report the issue to security@builddesk.io with:
  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact information

We will acknowledge receipt within 48 hours and provide updates on remediation progress. We do not currently offer a bug bounty program, but we appreciate and recognize responsible disclosures.

10. Compliance

10.1 GDPR (General Data Protection Regulation)

Builddesk is designed with GDPR compliance in mind:

• Data minimization (collect only necessary data)
• Purpose limitation (use data only for stated purposes)
• Data subject rights (access, rectification, erasure, portability)
• Privacy by design and default
• Data Processing Agreements (DPAs) for customers who process end-user data

For more details, see our Privacy Policy and Data Processing Agreement.

10.2 Industry Best Practices

We follow recognized security frameworks and standards:

• OWASP Top 10: Protection against common web application vulnerabilities
• CIS Controls: Implementation of critical security controls
• NIST Cybersecurity Framework: Risk management and incident response

11. Third-Party Service Providers

We carefully vet third-party processors and ensure they meet our security standards:

• Cloudflare: Infrastructure and CDN (ISO 27001, SOC 2)
• Stripe: Payment processing (PCI DSS Level 1)
• Resend: Transactional email (GDPR-compliant)

All processors are contractually bound by Data Processing Agreements and security requirements.

12. Employee Access

Access to customer data is strictly limited:

• Need-to-Know Basis: Only personnel with legitimate operational needs can access customer data
• Background Checks: Where applicable, personnel undergo background verification
• Confidentiality Agreements: All staff sign NDAs
• Training: Where applicable, security awareness training for personnel
• Access Logging: All admin actions are logged and auditable

13. Shared Responsibility Model

While we implement strong security measures, security is a shared responsibility. You should:

• Use strong, unique passwords
• Enable two-factor authentication (2FA) if available
• Keep your account credentials confidential
• Report suspicious activity immediately
• Ensure your devices are secure and up-to-date
• Educate your team members on security best practices

14. Contact Us

For security inquiries, vulnerability reports, or questions about our security practices, please contact us: