Overview

At BIM Engine, we know that your architectural designs, point clouds, and site data are your most valuable assets. We have designed our platform from the ground up to exceed industry standards for security, availability, and confidentiality.

Below is an overview of our security architecture and the controls we have implemented to protect your data.

Compliance & Certifications

SOC 2 Alignment

Our internal controls and security framework are designed in accordance with SOC 2 (Service Organization Control) Trust Services Criteria. We maintain documentation and automated monitoring of our controls, and are currently undergoing our first SOC 2 Type II audit.

Audit Trails

We maintain logs across our infrastructure — Vercel deployment logs, Supabase database audit logs, and AWS CloudTrail for object-storage access.

Background Checks

All employees undergo mandatory background checks prior to employment.

Confidentiality

Every employee and contractor signs strict Non-Disclosure Agreements and Confidentiality Agreements before being granted access to customer data.

Infrastructure Security

Our platform is built on Vercel (application hosting), Supabase (managed Postgres), and Amazon S3 (object storage). All three providers maintain SOC 2 Type II attestations.

Network Segregation

Production environments are strictly isolated from preview, development, and testing environments. Production credentials and API keys are scoped to the production environment only.

Monitoring

We monitor platform activity via Vercel logs, Supabase database audit logs, and AWS CloudTrail. Material anomalies are routed to our on-call engineer.

Encryption in Transit

All client-server and server-server traffic is encrypted via TLS 1.2 or 1.3. HTTP requests to our production hostnames are redirected to HTTPS, and HSTS is enforced.

Encryption at Rest

Data stored in Supabase Postgres and Amazon S3 is encrypted at rest using AES-256.

Endpoint Security

All company devices and removable media are encrypted to prevent data loss.

Organizational Security

Security is a human process as much as a technical one.

Access Control

We enforce strict "Least Privilege" access. Multi-factor authentication is required across our identity provider (Google Workspace), our cloud accounts, and our administrative tools.

Security Training

All employees complete general security awareness training upon hire and annually thereafter.

Vendor Management

We maintain a strictly vetted Vendor List. All third-party sub-processors must meet authentication and security standards consistent with our own.

Secure Development Lifecycle (SDLC)

We integrate security directly into our development workflow.

CI/CD Pipeline

We use GitHub Actions and Vercel for automated build, test, and deployment, reducing the risk of human error in production releases.

Vulnerability Management

We run automated dependency scanning on every pull request and remediate findings according to severity.

Change Management

All system changes go through pull request review, automated testing, and an audited deployment pipeline before reaching production. Material customer-facing changes are communicated via in-app notifications.

Device Policy

Full-disk encryption is enforced on all company devices, secure-disposal procedures are documented, and 1Password is required for all staff credentials.

Data Privacy & Reliability

Data Deletion

Customers may request deletion of their data by emailing support@bimengine.ai or security@bimengine.ai. We maintain records of deletion requests to support compliance with privacy laws.

Insurance

BIM Engine is evaluating cybersecurity insurance options appropriate for our current scale and risk profile.

Access Reviews

We perform regular access reviews to ensure that only active, authorized personnel have access to critical systems.

Vulnerability Reporting

We value the contributions of the security research community. If you believe you have found a security vulnerability in BIM Engine, please report it to us immediately.

Contact:

security@bimengine.ai

Response:

We will acknowledge receipt of your report and work with you to remediate the issue.