How we protect your project
This page is maintained by BuildTrust AI to answer common security and privacy questions about the product. It is not a third-party audit or certification.
All traffic to BuildTrust uses TLS. Project data, contracts, photos, and messages travel over encrypted connections between your device and our infrastructure.
The database enforces row-level security so each user only sees data for projects, properties, and messages they're a member of. Server functions re-validate the caller on every request.
Email + password, Google, and Apple sign-in are supported. Passwords are checked against the Have I Been Pwned breach database, and sessions use short-lived bearer tokens.
Card details are entered directly into Stripe — BuildTrust never sees or stores full card numbers. Escrow funds and milestone releases run through Stripe's PCI-compliant infrastructure.
Admin-level database keys are only used by trusted server-side code paths (webhooks, scheduled jobs). Day-to-day reads and writes go through scoped, per-user credentials.
We send from an authenticated subdomain with SPF/DKIM. Public AI endpoints are rate-limited by IP, and contract-generation endpoints require proof of project ownership.
Shared responsibility
BuildTrust provides the platform, the per-user access controls, encryption, and abuse mitigations described above. You're responsible for choosing a strong password, only inviting people who should see your project, and reviewing any AI-generated contract or scope before signing or paying.
Contact
- Security issues: security@buildtrustai.com — responsible disclosure and vulnerability reports. We acknowledge within two business days and ask for a reasonable remediation window before public disclosure.
- Product support: support@buildtrustai.com — account, billing, and bug reports.
- Privacy requests: privacy@buildtrustai.com — data access, export, or deletion.