Security & privacy

Trust Center

Your projects. Your data. Your rules. We store as little as possible, your files can live in your own Drive, and your clients never need an account. Here’s exactly how it works.

Start free Talk to us

Trust at a glance

No accounts for your clients
Your Google Drive, your bytes
Photo GPS stripped by default
Executables refused at upload
Webhooks HMAC-signed
Server-side sessions, never JWTs

Who trusts this approach?

Teams whose projects involve clients, vendors, money, and site photos — where “who saw what, and where did that file go” actually matters.

Real Estate Construction Property Management Hotel Operations Interior Design Vendors & Contractors

Privacy by design

The safest data is the data we never hold. We keep what’s needed to run the service — and nothing else.

We store metadata only
We never read your content
No ad pixels, never sold
Encrypted at rest

Your files stay yours

Bring your own Drive — we never hold the bytes

Start with 10 GB on us, or connect a free Google Drive and every future upload lands in your cloud instead. The switch is binary, and reversible.

Connect your Drive — uploads land in your cloud, never ours
Downloads gated through an authorization-checked handler — no direct filesystem URLs
Revoke our access in one click; we’re out
Nightly backup ZIP to your own Drive on every plan

Safer sharing

Links that open one door, not the building

Magic links let clients and vendors join without an account — and each link is tightly scoped so it can only ever do one thing.

Single-use and expirable
Scoped to one participant on one project
Read-only or reply access — your choice
Share viewers use the same authorization path as your team — no public-URL leaks

Upload protection

Every file is checked before it lands

Clients and vendors upload from devices you don’t control. We treat every upload as untrusted until it proves what it is.

Server-side type-sniff — the claimed type must match the actual bytes
Executables, scripts, and active web content (.exe / .js / .html / .wasm…) refused at upload
Images re-rendered server-side; large files never echoed through app memory

Location privacy

Site photos don’t leak where you stood

A photo from a job site or a listing carries GPS coordinates by default. We strip that before it ever leaves the browser — so a shared thread can’t give away an address or a vacant property.

Camera EXIF — including GPS — stripped client-side before upload, by default
Workspace toggle preserves metadata for surveying / mapping workflows
iPhone HEIC converts to JPEG locally — renderable everywhere, no broken thumbnails

Under the hood

The plumbing that holds it all up — for the people who want the specifics.

Transport

HTTPS everywhere with HSTS, a strict CSP on the authenticated app, and modern TLS only.

Authentication

bcrypt password hashing, optional TOTP two-factor, server-side sessions (never JWTs), 8h idle / 30d absolute, and CSRF tokens on every state-changing form.

Authorization

Every query is filtered by your active workspace, with owner / admin / member role gating on sensitive actions.

Webhooks

Outbound HMAC-SHA256 signing, inbound shared-secret checks with rate limiting, and idempotency keys on every delivery.

Inbound verification

Twilio signatures checked on every inbound SMS; the IMAP poller authenticates your mailbox; routing keyed on workspace + project, never user-controlled IDs.

Audit log

Every workspace-mutating action records who, what, and when — available to workspace owners on request.

Responsible disclosure

Found a vulnerability? Email with the subject Security report. We acknowledge within 2 business days and fix high-severity issues before public disclosure. We’re a small team — please don’t run automated scans against production; we’ll happily provide a staging environment if you ask.

What we’re working toward

Honest about what isn’t done yet:

SOC 2 — planned Customer-managed keys — Enterprise SSO (SAML / OIDC) — Enterprise

Need one of these before signing? Talk to us.