Security at Submittal
Construction teams trust us with submittal packages, drawings, and project data. Here is how we protect it.
Last updated: April 21, 2026
Compliance posture
Submittal.app is actively preparing for SOC 2 Type II attestation covering Security, Availability, and Confidentiality trust service criteria. A Type I report is targeted for completion in 2026. Customers pursuing enterprise procurement can request a copy of our current security documentation and a Letter of Engagement under NDA.
We align our controls with the AICPA Trust Services Criteria, NIST Cybersecurity Framework, and CIS Controls v8. Our payment flows inherit PCI DSS compliance from Stripe (we are SAQ-A eligible — no cardholder data touches our infrastructure).
Data encryption
- In transit: All traffic to and from Submittal.app is encrypted using TLS 1.2 or higher. HTTP traffic is redirected to HTTPS.
- At rest: Customer data in MongoDB is stored on encrypted EBS volumes (AES-256). File uploads in Amazon S3 are encrypted using SSE-S3 (AES-256) with bucket-level enforcement.
- Secrets: API keys and credentials are stored in AWS Secrets Manager and environment variables scoped per-service. No secrets are committed to source control.
- Backups: MongoDB is backed up daily with 30-day retention. Backups are encrypted and access-controlled.
Access control
- Authentication: Customer authentication uses JWT with 8-hour expiry. We also support Google OAuth and Microsoft (Azure AD / MSAL) single sign-on.
- Tenant isolation: Every data model enforces organization-scoped ownership. Backend middleware denies cross-tenant reads and writes. Production violations raise alerts; development logs for review.
- Internal access: Production access is limited to named engineers on a least-privilege basis. All production access requires MFA. Access is reviewed quarterly.
- Audit logging: Administrative and billing events are logged. AWS CloudTrail records infrastructure changes.
Infrastructure
- Hosting:Submittal.app runs on Amazon Web Services (US East). We rely on AWS's physical security and SOC 2 / ISO 27001 certifications for the underlying infrastructure.
- Network: Services run behind a reverse proxy with TLS termination. Database access is restricted to application servers over private networking.
- Monitoring: Application and infrastructure health are monitored 24/7 with automated alerting. Error tracking captures anomalies for engineering review.
- Patching: OS and dependency updates are applied on a rolling basis; critical CVEs are patched within 7 days of disclosure.
Secure development
- All code changes go through pull request review in GitHub before merging to the main branch.
- Branch protection and required CI checks enforce review and build validation prior to deploy.
- Dependencies are scanned for known vulnerabilities; Dependabot alerts are reviewed and remediated.
- Secrets scanning runs on all commits.
- Deployments are automated via GitHub Actions with signed, auditable releases.
Business continuity & disaster recovery
- RPO: 24 hours (daily database backups).
- RTO: 8 hours for full restoration from backup.
- Backups are stored in a separate AWS region from production to protect against region-level failures.
- We test our restoration procedure at least annually.
Incident response
We maintain a documented incident response plan covering detection, triage, containment, eradication, recovery, and post-incident review. In the event of a confirmed security incident affecting customer data, we will notify affected customers without undue delay and no later than 72 hours from confirmation.
To report a suspected vulnerability or security issue, email security@submittal.app. We acknowledge reports within one business day.
Employee security
- All team members sign confidentiality agreements as a condition of engagement.
- Background checks are performed prior to granting production access.
- Security awareness training is completed at onboarding and refreshed annually.
- Access to customer data is revoked within one business day of offboarding.
Subprocessors
We use a small number of trusted vendors to deliver our service. Each subprocessor is reviewed for security posture and contractually bound to protect customer data.
| Vendor | Purpose | Region |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting, compute, and storage | US East |
| MongoDB | Primary application database | US |
| Stripe | Payment processing (PCI DSS Level 1) | US |
| SendGrid (Twilio) | Transactional email delivery | US |
| Twilio | SMS notifications | US |
| Google Cloud (Gemini API) | AI-assisted spec extraction | US |
| Qdrant | Vector search for product matching | US |
| Cloudflare | DNS, CDN, and DDoS protection | Global |
| GitHub | Source code hosting and CI/CD | US |
| Intercom | Customer support and in-app messaging | US |
Material changes to this list are announced at least 30 days in advance to customers under active enterprise agreements.
Data ownership & portability
Your data is yours. You can export submittal packages, product libraries, and project data at any time through the application. Upon account termination, customer data is deleted within 90 days, excluding backups which expire on their normal 30-day rotation. Enterprise customers can request expedited deletion.
Privacy
See our Privacy Policy for details on what personal information we collect and how it is used. We comply with the California Consumer Privacy Act (CCPA) and offer GDPR-aligned protections for users in the European Economic Area.
Requesting documentation
Enterprise customers and prospects can request the following under NDA:
- SOC 2 readiness summary and roadmap
- Penetration test summary (once available)
- Completed SIG Lite vendor security questionnaire
- Data Processing Addendum (DPA)
- Business Associate Agreement (BAA) — available on request for applicable customers
Email security@submittal.app to request documentation.