Security & Data Protection

🏛️

Where Your Data Lives

Your data is stored in Supabase — a PostgreSQL database hosted on AWS US infrastructure
Supabase holds SOC 2 Type II compliance — the same compliance standard required by healthcare organizations and enterprise software platforms
All data remains in the United States — no foreign data centers, no cross-border transfers

🔒

How Your Data Is Isolated

Row-Level Security (RLS) — your data is walled off at the database level, not just the application level
No cross-account visibility — Beck's data is invisible to any other customer, including us, unless you explicitly grant access

The Apartment Building Analogy Think of it like an apartment building. Each client has their own locked apartment with their own key. The building has shared infrastructure — plumbing, electricity — but the building manager cannot enter your apartment without your explicit permission. Your neighbors cannot see inside. Your data lives in your locked apartment.

🛡️

Encryption

AES-256 encryption at rest — the same standard used by the U.S. military, government agencies, and healthcare systems
TLS 1.3 encryption in transit — data is encrypted the moment it leaves your browser and remains encrypted until it reaches Supabase's infrastructure on Amazon Web Services (AWS). EstimateIntel does not operate its own servers — your data is hosted on enterprise-grade AWS infrastructure trusted by healthcare systems, financial institutions, and government agencies.

🪪

Authentication & Access

Access is user ID-based — only authenticated Beck users can see Beck data
Named individuals with access are documented and listed in the mutual NDA
There is no pathway — at any level of the system — for one account to view another account's data

💻

How Your Data Is Processed

EstimateIntel is a software application. The reconciliation logic, classification engine, and reporting are all built into the software itself. When Beck uses the platform, the software runs on its own coded logic — the same way Sage runs your accounting or Procore runs your project management.

How we built the software: We use Anthropic's Claude as a software engineering tool through Visual Studio Code, which is a professional development environment used by software engineers worldwide. Claude writes code under the direction of our software engineering team, who reviews and approves all code before it enters production. This is our development process — it does not involve your data. By the time Beck uses the product, the software is already built and running. Even at this stage, all development runs through Anthropic's secure API, which does not use any inputs or outputs for model training. (See Anthropic's published privacy policy below for full details.)

The one place a secure API is involved in production: When a subcontractor bid comes in as a PDF, the software needs to read that document and extract the vendor name, trade, amounts, and line items into structured data. This document parsing step uses a secure API call. Every major document parsing tool on the market works the same way:

Adobe Acrobat uses AI-powered OCR with neural networks for text extraction and table detection
ABBYY FineReader uses generative AI and neural network architectures for document classification and extraction
Amazon Textract is a machine learning service on AWS for extracting text, handwriting, and tables from documents
Google Document AI uses generative AI-powered custom extractors for parsing structured and unstructured documents

Our document parsing runs through the same type of secure API call these tools use. The PDF goes in, structured data comes out, and the result is stored in Beck's private database. Nothing is retained by the API provider beyond a short safety monitoring window.

Data is extracted at the line item level and organized into a universal construction language: Division > Subcategory > Description. This structure enables precision benchmarks while maintaining complete anonymity.

Our API provider: Anthropic Anthropic, the company behind Claude, states in their published privacy policy: "By default, we will not use your inputs or outputs from our commercial products (e.g. Claude for Work, Anthropic API, Claude Gov, etc.) to train our models." This applies to all commercial API usage. API data is retained for up to 7 days solely for abuse monitoring, then permanently deleted. Your project data does not train, improve, or contribute to any model that other companies can access.

Source: Anthropic Privacy Center — Is My Data Used for Model Training?

For comparison — here is how the tools Beck already uses handle your data:

Sage (Beck's accounting software) Sage's published privacy policy for Sage Intacct states that Customer Data is used "as a processor to provide the Sage Intacct Services and to address customer support requests" and also "for product research, development, and innovation." Sage does not publish an explicit statement that customer financial data is excluded from AI model training. Their Responsible AI page references using "real-world customer and compliance data" in model development.

Source: Sage — Intacct Privacy Policy
Source: Sage — Trust and Security

SAP Crystal Reports (Beck's reporting layer on top of Sage) Crystal Reports connects directly to Beck's Sage database to pull financial data for formatted reports. SAP, Crystal Reports' parent company, states that in AI-enabled scenarios, "customer data is used only with explicit consent and is anonymized where necessary" and that their enterprise LLMs "do not retain any input or output from API interactions." However, Crystal Reports itself operates as an on-premise tool with direct, unmediated access to your raw accounting data. There is no API layer between Crystal Reports and your financials. EstimateIntel's approach is more isolated — your data passes through a secure API call to Supabase (hosted on AWS) that does not retain data beyond the encrypted database, rather than a tool sitting directly on top of your database.

Source: SAP Trust Center — Data Protection and Privacy

Other industry-leading construction platforms:

Procore (industry-leading construction PM software) Procore states that "no customer data is used to train, retrain, fine-tune, or improve Microsoft Azure OpenAI or any other Microsoft products or services." However, Procore also states that their "internal models may utilize data collected from customer inputs and outputs to help improve Procore AI accuracy." This means Procore uses customer project data to train their own internal AI systems, while ensuring it is not shared with Microsoft or other customers.

Source: Procore — Data Privacy and Governance
Source: Procore — AI Data Security FAQ

Our data handling policy is stricter than all of the platforms listed above. The software application runs on its own logic. The only API involvement is document parsing — the same function every PDF tool performs — and nothing is retained or used for training.

Looking ahead: The only scenario in which EstimateIntel would ever build its own proprietary model is when the anonymized aggregate data pool across the country is large enough to warrant a dedicated software assistant for estimators. If and when that happens, that model would be trained exclusively on anonymized regional benchmark data — statistical averages, ranges, and percentiles that contain no identifying information. No individual company's raw project data, sub pricing, or project details would ever be used to train any model. Beck would be notified in advance of any change to the processing approach, consistent with the terms in the data processing agreement.

📋

Data Ownership

Beck owns 100% of its raw project data at all times — your estimates, bids, cost reports, and closeout files belong to Beck. Ownership never transfers.
EstimateIntel holds a limited processing license during the pilot only — solely for the purpose of delivering the software application
On termination or expiration: full export of all project data in a standard format, deletion of all Beck-specific records within 30 days, and written confirmation of deletion
Anonymized regional benchmarks — which contain no identifiable project, company, or individual information — are retained as a platform asset. These benchmarks exist at two levels of detail — trade category (broader patterns) and specific line item (precision benchmarks, available later). Vendor performance data is only visible to GCs who have used that vendor, with a minimum of five contributing companies required. This is consistent with how Procore, Sage, and all enterprise software platforms operate. The distinction between raw data (yours) and derived benchmarks (platform asset) is documented in the data processing agreement before any data is exchanged.

👁️

What We See vs. What You See

You See

Full project detail
Every estimate and bid
All cost breakdowns by trade category AND specific line item
Sub performance by trade and scope — traced from bid to change order to RFI to warranty callback
Client and project identifiers

We See

Anonymized patterns only
Aggregate cost benchmarks
Trade category and line item benchmarks — statistical averages only, no raw dollar amounts, no identifying information
No specific project numbers
No client names or addresses

Your specific numbers, client names, and project details are never visible to anyone outside your account — including us.

No external system can request or receive benchmark data. Benchmarks are rendered inside the application only. All published values include built-in statistical variance protection.

💾

Backup & Recovery

Automated daily backups — no manual intervention required
Point-in-time recovery capability — data can be restored to any point within the retention window
Disaster recovery on redundant US-based infrastructure — single points of failure are eliminated at the infrastructure level

Security & Data ProtectionPlain-Language Overview

Security & Data Protection
Plain-Language Overview