Security at Exayard
How we protect your plans, pricing, and project data — and how agents and integrations are authorized to access them.
Encryption
Data in transit is encrypted with TLS 1.3. Data at rest is encrypted with AES-256. Plan PDFs, takeoff measurements, and product pricing are encrypted at the storage layer.
Authentication
Identity is managed through Clerk. We support email/password, Google, Microsoft, and SAML SSO for Enterprise. Multi-factor authentication is available on all paid tiers.
API keys and OAuth
API keys carry an explicit scope list (read/write per resource). OAuth follows RFC 7591 Dynamic Client Registration so registered MCP clients (Claude, Cursor, etc.) get tokens via the protected-resource discovery endpoint. Least-privilege by default.
Audit logs
Every request carries an X-Request-Id. Agent identity is preserved through OAuth client IDs so audit logs distinguish "Claude Desktop acting for alice" from "alice directly."
Webhooks
Outbound webhooks are signed with HMAC-SHA256. Signatures include a timestamp and reject deliveries older than 5 minutes. Endpoint secrets are returned only at creation time.
Data residency
Production data is hosted in the United States on SOC 2 Type II infrastructure. Enterprise customers can request specific data residency options.
Sub-processors
Stripe, Clerk, Convex, Cloudflare, Anthropic, OpenAI, Vercel, and Sentry. We provide a current list on request and notify customers before adding new sub-processors that handle customer data.
Vulnerability disclosure
Report security issues to [email protected]. We acknowledge reports within 1 business day and target a fix within 30 days for high-severity findings. We do not pursue researchers acting in good faith.
Compliance
SOC 2 Type II audit in progress. Penetration tests are conducted annually by an independent third party. GDPR-aligned data handling. HIPAA is not currently supported.
Account deletion
You can delete projects and your entire account from settings at any time. Backups are retained for 30 days post-deletion to support disaster recovery, after which all data is permanently erased.
Ready to win more bids?
Join hundreds of contractors using Exayard to estimate faster and more accurately. Get started today.