BLDGDeck

Security

Security & data protection

This page describes the security controls BLDGDeck has enabled today. It is maintained by BLDGDeck and is not a third-party certification.

Access control

  • Every account is protected by a password managed by our authentication provider.
  • Row-Level Security policies enforce per-user isolation on every table that holds customer data — a user can only read and write rows they own or that have been explicitly shared with them.
  • Privileged server operations are performed by a service-role key that is only available inside our server runtime and is never sent to the browser.

Encryption

  • All traffic to BLDGDeck is served over HTTPS/TLS.
  • Data at rest is encrypted by our database and object-storage providers using their managed disk-encryption.

Subprocessors

BLDGDeck runs on a small set of vetted subprocessors. Uploading a document or making a payment involves the following:

  • Supabase (US) — managed Postgres, authentication, and object storage for uploaded documents and Project data.
  • Stripe (US) — payment processing, subscription lifecycle, and the customer billing portal. Card numbers never touch our servers.
  • Lovable AI Gateway — routes prompts to third-party large-language-model providers to power our AI workflows. Only the text needed to answer a specific request is sent.
  • Cloudflare — content delivery and edge runtime for the app itself.

Uploaded documents

  • Documents are stored in a private object-storage bucket, isolated per user.
  • Signed short-lived URLs are used when a document needs to be displayed or downloaded; buckets are not publicly listable.
  • You can delete individual documents at any time. Deleting a Project deletes its associated documents.

Retention & deletion

  • Project data is retained for as long as your account is active. Documents you delete are removed from primary storage; provider-level backups may retain them for a limited period before being purged.
  • You can request deletion of your account and all associated data by emailing hello@bldgdeck.com. We complete these requests within 30 days.

Payments

  • All payments run through Stripe Checkout and Stripe Billing Portal.
  • BLDGDeck does not receive, store, or process card numbers, CVCs, or full card details. We only receive the tokens and identifiers Stripe returns.

Vulnerability reporting

Please report any suspected vulnerability to security@bldgdeck.com. Please do not perform destructive testing against other users' data. We acknowledge reports within 3 business days.

What we do not claim

BLDGDeck is a growing product. We do not claim SOC 2, ISO 27001, HIPAA, or PCI certification at this time. We do not claim end-to-end encryption of document contents. We do not claim independent third-party review of this page. When those claims become accurate, we will update this page and, where relevant, share supporting documentation.