How We Protect Your Data

All platform data is stored in Supabase, a hosted database service running on Amazon Web Services (AWS). Your data lives on their infrastructure — not on a server we own or manage directly.

In transit: Every connection between your browser, our servers, and the database is encrypted using TLS 1.2 or higher. There is no unencrypted HTTP fallback. You will always see HTTPS in your browser.

At rest: All data stored in Supabase Postgres is encrypted at the infrastructure level using AES-256. This includes database records, backups, and file storage.

Compliance: Supabase is SOC 2 Type II certified. AWS infrastructure (which Supabase runs on) holds ISO 27001, SOC 1/2/3, and PCI DSS compliant certifications. These certifications are maintained and audited by independent third parties.

Financial figures — Cost to Complete entries, WIP positions, invoice amounts — are never stored in application logs, error messages, or your browser's local storage.

Other users cannot see your data.The database enforces Row Level Security (RLS) — a rule set built directly into the database engine. A query from one user's session cannot return another user's records, even if the request is deliberately crafted to try. This is not enforced at the application layer, which can have bugs. It is enforced inside the database itself.

Your team members can only access the data you explicitly grant them permission to. Each permission is a specific toggle — project management, invoices, daily logs, and others. A team member without invoice access cannot reach WIP or Cost to Complete data even with a valid login session.

The platform development team uses a Supabase service role key for server-side operations. This key bypasses RLS. It is stored only in server-side environment variables — never in browser code or the public repository.

We will not access your financial data except: (a) in response to a verified support request from the account owner, or (b) as required by law. This is the same model used by Procore, Sage, Buildertrend, and QuickBooks Online — every SaaS platform you use operates on it.

All admin-level database access is logged with a timestamp, query type, and the identity of the person performing it. You may request a copy of this log by emailing security@bosamcandc.com.

Generated PDFs and Excel files — WIP exports, invoices, pay applications, change orders — are stored in private Supabase Storage buckets. They are not accessible by a public URL. You cannot guess or enumerate a document URL.

Documents are served via signed URLs that expire in 15 minutes. A signed URL is a time-limited, cryptographically verified link that only works for the user it was generated for. After 15 minutes, the link stops working — even if someone forwarded it.

Downloads use Content-Disposition: attachment, which forces the file to download rather than open in a shareable browser tab.

Confirmed WIP records and submitted Cost to Complete entries cannot be deleted or silently overwritten. Once locked, a record is permanent.

If a figure needs to be corrected, the platform creates a new versioned record that references the original. The original is preserved. This means your history — the one your bank or bonding company may ask to see — cannot be altered after the fact.

This protects against accidental overwrites, disputes about reported figures, and audit requests from lenders or surety companies.

Platform security only works if your account credentials are secure. We ask that you:

• Use a strong, unique password for this account.
• Enable two-factor authentication on your email account — your email is the key to this platform.
• Log out when you are on a shared or public device. Close the browser tab.
• Do not share your login credentials with people who should not have access. Use the Team Seats feature instead — it gives individuals their own login with scoped permissions.
• If you suspect your account has been accessed without your permission, email security@bosamcandc.com immediately.

You may request a full export of your account data or a copy of the admin access log for your account at any time.

Email security@bosamcandc.com from the email address on your account. Include your company name and what you are requesting. We will respond within 5 business days.

To request deletion of your account and all associated data, email the same address with the subject line: "Data Deletion Request." Deletion is permanent and cannot be undone.

If you discover a vulnerability or a potential security issue with the platform, please report it responsibly before disclosing it publicly.

Email security@bosamcandc.com. Include a description of what you found and how to reproduce it. We will acknowledge your report within 48 hours and will work to resolve confirmed issues promptly.

In the event of a confirmed data breach affecting customer financial data, affected account owners will be notified by email within 72 hours. Notification will include what data was affected, the time window, and what is being done.