Security Practices

Our commitment

Security is built into every layer of Smart Site Plan, from encrypted storage and authenticated file access to role-based permissions and tamper-evident audit logs. This page documents the practices we use to protect your data. It is a summary of our practices, not a contract; enterprise customers can request additional detail under NDA.

Encryption

In transit. All connections to the Service use TLS. Insecure connections are redirected or rejected.

At rest. Stored data is encrypted at rest by our infrastructure providers. Uploaded files are held in encrypted object storage and served only through authenticated, time-limited signed URLs, so raw storage locations are never exposed to clients.

Secrets. Signing keys and credentials are stored in environment configuration, never in source code, and are rotated as needed.

Authentication

Passwordless sign-in. One-time email codes eliminate password reuse and phishing risk.

Passkeys. Hardware security keys and device biometrics (WebAuthn) are fully supported.

Two-factor authentication. Authenticator-app (TOTP) and optional SMS two-factor are available, with hashed recovery codes.

Single sign-on. Optional sign-in with Google for organizations that prefer federated identity.

Sessions. Sessions use signed, secure, HTTP-only tokens with cross-site protections and automatic expiration, and you can review and revoke active sessions and trusted devices.

Step-up verification. Sensitive actions (such as changing your billing email or security settings) require re-verification, and sign-ins from a new device are detected and flagged.

Access control and tenant isolation

Role-based access. Project access is governed by roles (owner, editor, commenter, viewer), and every action enforces the required role. The operator console is restricted to an explicit allowlist.

Isolation. Customer data is logically isolated, and access is scoped to your account and the projects you are a member of so one customer cannot reach another's data.

Audit logging

Security-relevant actions are written to an append-only audit log that records the actor, IP address, user agent, and context. Entries are protected with a tamper-evident signature and hash chain, so any alteration is detectable. Logs are retained on a plan-based schedule for investigation and compliance.

Infrastructure and resilience

Hosting. The Service runs on enterprise-grade cloud infrastructure with global edge delivery for the web application.

Databases. Managed databases provide encryption at rest, continuous backups, and point-in-time recovery.

Backups. Databases are backed up on a regular schedule and recovery is tested, so data can be restored after a failure.

Network and abuse protection

An enterprise edge network provides DDoS protection and bot mitigation. Authentication and sensitive operations are rate-limited, repeated failed attempts trigger graduated lockout, and automated bot checks help block fraudulent account creation.

Application security

Input validation. Inputs are validated at system boundaries, uploads are checked, and database queries are parameterized, so untrusted input cannot be interpreted as code.

Browser hardening. A Content Security Policy restricts code execution and resource loading in the browser.

Error handling. Internal error details are never exposed to clients; errors are logged securely for review.

Dependencies. Dependencies are kept current and reviewed, security advisories are acted on promptly, and production code is type-checked and tested in continuous integration before it ships.

Developer platform and API security

API keys. Keys are stored only as a strong one-way hash with a server-side pepper; the secret is shown once at creation and never retrievable afterward. Keys are scoped to least-privilege capabilities, support separate test and live environments, and can be rotated with an overlap window or revoked at any time.

Access controls. Secret keys support an optional IP allowlist; browser-facing publishable keys are bound to an origin allowlist enforced against the real request origin. Per-key rate limits and customer-set spend caps (with automatic suspension) protect against runaway use and abuse.

Webhooks. Outbound webhooks are signed with HMAC so you can verify authenticity; signing secrets are encrypted at rest and shown once. Webhook destinations are validated to block internal and private network addresses, protecting against server-side request forgery. Inbound webhooks from our providers are verified by signature and de-duplicated.

Connectors. Our Model Context Protocol interface exposes read-only, scope-gated tools authenticated by the same key model; it cannot mutate your data.

Enterprise identity

Organizations on Team and Enterprise plans can configure, where enabled, single sign-on (SAML and OIDC, including Microsoft Entra and Google), directory provisioning (SCIM), and per-organization authentication policies such as required assurance level, phishing-resistant factors, session and idle timeouts, and lockout thresholds. Deprovisioning a user through the directory revokes their sessions and API access, and enforced single sign-on can disable local credentials for the organization.

Data handling

Residency. Data is processed and stored in the United States.

Minimization. We collect only what is needed to provide the Service and avoid unnecessary tracking.

AI processing. Content you submit to AI features is sent to our AI sub-processor only to generate your result and is not retained by the provider beyond the request or used to train its models.

Deletion. When you delete your account, customer data is deleted within 30 days and encrypted backups are purged within 90 days, except where retention is required by law.

Monitoring and incident response

We continuously monitor errors and anomalies and keep an immutable trail of security-relevant events. If an incident affects your data, we will investigate, contain it, and notify affected customers in line with applicable law and our Data Processing Agreement.

Privacy and compliance

We support access, correction, deletion, and export rights for individuals, and we honor California consumer privacy rights including the right to opt out of sale or sharing. See our Privacy Policy, Data Processing Agreement, and Sub-Processor Register for detail.

Reporting a vulnerability

We welcome responsible security research. If you believe you have found a security issue, email security@smartsiteplan.com. We acknowledge reports promptly and will not pursue legal action against good-faith researchers who follow this policy. Please give us a reasonable chance to fix an issue before any public disclosure, and do not access, modify, or delete data that is not yours, degrade the Service, or use social engineering.

In scope: preview.smartsiteplan.com and the Smart Site Plan application and API. Out of scope: third-party services, denial-of-service testing, and physical or social-engineering attacks.

Security contact

For security inquiries, compliance questions, or enterprise security reviews (including our Data Processing Agreement and security questionnaires under NDA), contact security@smartsiteplan.com.