Constructa

Security

Constructa uses layered tenant, application, provider, and recovery controls designed for sensitive residential project data.

Effective July 11, 2026

Core controls

  • Company-scoped row-level security plus explicit server-side tenant filters.
  • Private floor-plan and proposal storage with expiring signed or tokenized access.
  • Role-based owner, administrator, user, and platform access boundaries.
  • Signed provider webhooks, idempotent financial and delivery events, distributed rate limits, and durable job retries.
  • Trace-linked diagnostics, audit records, nightly encrypted-platform transport, and off-machine logical backups.

Responsible reporting

Report suspected vulnerabilities to security@getconstructa.com. Include affected route, reproducible steps, impact, and a safe contact method. Do not access other customers' data, disrupt service, or publish details before remediation coordination.

Incident response

Security reports are triaged by severity. Material incidents are contained, investigated, restored from verified systems when needed, documented with traceable actions, and communicated to affected customers consistent with applicable obligations.

Current limits

Pre-revenue backups are nightly logical dumps rather than point-in-time recovery. Supabase Pro platform backups are required when the first paying customer is onboarded. Security documentation is reviewed before general availability and after material architecture changes.