Security

Security Overview

At Fabric, security is not an afterthought. It's built into every layer of our platform. We understand that construction projects involve sensitive financial data, legal documents, and proprietary information. Our security program is designed to protect your data with enterprise-grade controls.

Data Encryption

We use industry-leading encryption standards to protect your data both in transit and at rest.

Encryption in Transit

• All data transmitted between your browser and our servers uses TLS 1.3, the latest and most secure transport layer security protocol.
• We enforce HTTPS across the entire platform with HSTS (HTTP Strict Transport Security) headers.
• API communications use certificate pinning to prevent man-in-the-middle attacks.

Encryption at Rest

• All databases are encrypted using AES-256 encryption.
• File storage (documents, photos, contracts) uses server-side encryption with customer-managed keys.
• Backup data is encrypted with separate encryption keys stored in hardware security modules (HSMs).
• Financial information (bank accounts, payment details) is never stored in our primary database. We store only encrypted tokens from our PCI-compliant payment processor.

Access Controls

We implement strict access controls to ensure only authorized personnel can access sensitive data.

Role-Based Access Control (RBAC)

Every user, team member, and service account is assigned the minimum permissions necessary to perform their function. We implement strict role-based access control with:

• Principle of least privilege
• Segregation of duties for sensitive operations
• Multi-factor authentication (MFA) required for all admin accounts
• Time-limited access tokens (auto-expire after 24 hours)

Employee Access

Fabric employees have zero standing access to customer data. All access must be:

• Requested through a ticket system with business justification
• Approved by a manager
• Granted for a limited time period (maximum 4 hours)
• Logged and audited
• Reviewed quarterly

Infrastructure Security

Our infrastructure is built on enterprise-grade cloud platforms with multiple layers of security controls.

Cloud Infrastructure

Fabric is hosted on enterprise-grade cloud infrastructure (AWS/GCP) with:

• Network Isolation: Virtual Private Cloud (VPC) with private subnets for databases and internal services
• Firewalls: Web Application Firewall (WAF) and network firewall rules limiting access to essential ports only
• DDoS Protection: Cloudflare CDN with automatic DDoS mitigation
• Intrusion Detection: Real-time monitoring for unusual network patterns

Database Security

• Multi-region replication for disaster recovery
• Automated backups every 6 hours, retained for 30 days
• Point-in-time recovery capabilities
• Database activity monitoring with alerts for suspicious queries

Compliance & Certifications

We maintain industry-standard certifications and comply with major data protection regulations.

SOC 2 Type II

Fabric undergoes annual SOC 2 Type II audits by independent third-party auditors. Our SOC 2 report covers:

• Security
• Availability
• Processing Integrity
• Confidentiality
• Privacy

Contact us to request a copy of our latest SOC 2 report.

Payment Card Industry (PCI) Compliance

We partner with PCI-DSS Level 1 compliant payment processors (Stripe, Plaid) to handle all financial transactions. Fabric never directly handles or stores credit card data.

GDPR & CCPA

While Fabric primarily serves U.S.-based contractors, we are compliant with GDPR and CCPA data privacy regulations, providing users with:

• Right to access their data
• Right to delete their data
• Right to data portability
• Right to opt-out of data sale (we do not sell user data)

Monitoring & Incident Response

Our security team monitors the platform 24/7 and has a comprehensive incident response plan in place.

24/7 Security Monitoring

Our security operations center (SOC) monitors for:

• Failed login attempts and suspicious access patterns
• Unusual database queries
• API rate limit violations
• File upload anomalies
• Network intrusion attempts

Incident Response Plan

In the event of a security incident, we have a documented incident response plan that includes:

1. Detection: Automated alerts and manual reporting channels
2. Containment: Immediate isolation of affected systems
3. Investigation: Forensic analysis to determine scope and impact
4. Notification: Affected users notified within 72 hours
5. Remediation: Fix vulnerabilities and restore service
6. Post-Mortem: Document lessons learned and improve processes

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you believe you have found a security issue in Fabric, please:

Bug Bounty Program

We offer a bug bounty program for qualifying security vulnerabilities. Rewards range from $100 to $5,000 depending on severity and impact.

User Security Best Practices

While we implement robust security controls, your security also depends on your practices:

Strong Passwords

• Use passwords with at least 12 characters
• Include uppercase, lowercase, numbers, and symbols
• Never reuse passwords across services
• Consider using a password manager

Enable Two-Factor Authentication (2FA)

We strongly recommend enabling 2FA on your account. This adds an extra layer of security even if your password is compromised.

Verify Email Communications

• Fabric will never ask for your password via email
• All official emails come from @fabric.build domain
• Be cautious of phishing attempts impersonating Fabric

Regular Account Review

• Review active sessions in your account settings
• Revoke access for unused integrations
• Update team member permissions when roles change