Security and Trust

Your building data, meter readings, and compliance evidence are critical operational assets. Here is how we protect them.

Data protection

  • AES-256-GCM encryption for all stored credentials
  • scrypt password hashing with per-user salts
  • TLS encryption for all data in transit
  • Server-side sessions only. No sensitive data in browser storage

Authentication

  • Single Sign-On: Azure AD, Okta, Google Workspace, and SAML 2.0
  • SCIM 2.0 automated user provisioning and de-provisioning
  • Session management with secure, HTTP-only cookies
  • Rate limiting on authentication endpoints

Access control

  • 4-tier role-based access control: Owner, Admin, Manager, Engineer
  • All role checks enforced at the server level, not just in the UI
  • Tenant isolation: every database query is scoped to your organisation
  • No cross-tenant data access by design

Audit logging

  • Structured audit trail covering key data changes, logins, and configuration updates
  • Audit logs are append-only and cannot be modified or deleted by users
  • Exportable audit records for regulatory investigations
  • Timestamp, actor, action, and affected resource recorded for each logged event

AI data handling

  • Consultant AI is evidence-grounded. Every answer cites real building data
  • We do not train models on your data
  • AI outputs include confidence indicators and source references
  • If evidence is missing or contradictory, the system says so explicitly

Infrastructure

  • Hosted in the EU (Amsterdam, Netherlands) on Railway for EU data residency
  • TLS everywhere. No unencrypted connections
  • Regular dependency audits and security patches
  • Automated monitoring and alerting for infrastructure health

Compliance certifications

We are working toward SOC 2 Type II certification. We are not yet certified. If your procurement process requires SOC 2 or ISO 27001 documentation, contact us and we will share our current security posture, controls, and timeline.

We believe in being honest about where we are, rather than implying certifications we have not yet achieved.

Questions about security?

We are happy to discuss our security architecture, share our controls documentation, or answer questions from your IT and procurement teams.

Contact UsRequest a Demo
Request a Demo