Home Platform Pricing Qualify Client Portal
Security & Trust Center

Your Data. Your Plans.
Protected.

Vernier takes security seriously. We are building toward SOC 2 Type II certification and treat every uploaded plan as confidential. Below is exactly how we protect your information.

AI Data Promise

What Happens to Your Data.

This is the most important section on this page. Read it carefully.

Your plans are NEVER used to train AI models.
Uploaded files are processed, then deleted within 30 days of project close (or immediately on request).
AI processing happens via API calls — your data is not stored by the AI provider.
No customer data is shared with third parties for any purpose.
You own your data. Full stop.
Encryption & Infrastructure
  • AES-256-GCM encryption for API keys and sensitive data at rest
  • TLS 1.3 for all data in transit (enforced; no fallback to older protocols)
  • SQLite with WAL mode (PostgreSQL migration planned)
  • DigitalOcean infrastructure (US-based)
  • No data leaves US servers
Authentication & Access
  • Token-based auth with bcrypt password hashing
  • 7-day rolling sessions with automatic expiration
  • Optional Two-Factor Authentication (TOTP)
  • 30-day device trust for 2FA
  • Role-based access control (Admin, Member, Field)
  • Organization-scoped data isolation — you can never see another company's data
API Security

Hardened at Every Layer.

Rate Limiting
  • Login attempts: 10 per 15 minutes
  • AI processing: 20 requests per hour
  • File uploads: 50 per hour
Headers & Protections
  • CORS whitelist (no wildcards, no localhost in production)
  • Parameterized SQL (no injection possible)
  • Global exception handler (no stack traces leaked)
  • X-Frame-Options: DENY
  • X-Content-Type-Options: nosniff
  • Referrer-Policy: strict-origin-when-cross-origin
  • Cryptographically secure UUIDs (random_bytes)
AI-Specific Controls

Responsible AI Infrastructure.

Purpose-built safeguards for AI-powered construction estimating.

Secure Inference Environment
  • All AI inference runs in secure, monitored environments with full audit logging
  • Isolated per-request processing — no cross-tenant data leakage
  • API calls encrypted end-to-end with TLS 1.3
  • No persistent storage of inputs or outputs by the AI provider
Explainability & Transparency
  • AI outputs include reasoning context so users can understand how estimates were derived
  • Confidence indicators on AI-generated line items and scope recommendations
  • Full token usage tracking per request for billing transparency
  • Users can review, override, and adjust any AI-generated output before finalizing
No Training Guarantee
  • Your data is NEVER used to train AI models — not by Vernier, not by our AI providers
  • Anthropic's commercial API terms contractually prohibit training on customer inputs
  • Company-specific calibration data is siloed per organization and never shared
  • This guarantee is backed by our Privacy Policy and enforceable DPA
Incident Response
  • Documented incident response plan covering detection, containment, eradication, and recovery
  • Affected customers notified within 72 hours of a confirmed data breach
  • Post-incident review with root cause analysis and remediation steps
  • Designated security point of contact reachable at (855) 562-8428
Compliance Roadmap

Where We're Headed.

We are transparent about where we are and where we are going.

In Progress
SOC 2 Type II
Target Q3 2026
Planned
ISO 27001
2027
Launching
Bug Bounty
Q3 2026
Annual
Pen Testing
Third-Party
Data Processing Agreement

A Data Processing Agreement (DPA) is available upon request for any subscriber. Contact us at (855) 562-8428 and we'll have one to you within 24 hours.

Talk to Us

Questions About Security?

Call us directly. We are happy to walk through our security practices in detail, provide documentation for your compliance team, or set up a DPA.

(855) 562-8428 BOOK A CALL