Trueleveler
Product
Engines · 28All engines →
Pre-bid
RFQ Generator Bid Templates Cost Estimating Scope Builder
Bidding
Bid Leveling Bid Score Bid Scope Compliance Doc Compare Doc Chat
Award
Contract Review PM Handoff PO vs Quote Notice BuilderNEW
Project
RFI Drafter Submittal Reviewer Schedule Risk CO Review Pay App Review Daily Log Synthesizer Meetings · VoiceNEW Equipment Scheduler
Closeout
Punch List Drafter Closeout Builder Warranty Compiler As-built Reconciler Bid vs Actual Quote vs Invoice
Trackers · 22All trackers →
Buyout
Procurement Submittals Vendor Database Negotiation Equipment
Cost & billing
Project Budget Change Orders T&M Tickets Lien Waivers
Contracts & compliance
Contracts Bonds Insurance · COIs Permits NoticesNEW
Field & quality
Daily Log QA/QC Safety Punch List RFIs
Coordination
Schedule Tasks Meetings
Insights
✦Project PulseAsk anything · cited answers ▥AnalyticsSignals · margin defended ↻Engine HistoryEvery run · replayable
28 engines · 22 trackers · one project memory. Every output is the next engine's input. See the platform atlas →
Solutions
By workflow
◆Preconstruction & SalesPipeline · bid-to-award · win rates $Finance & AccountingPay apps · COs · WIP · cash forecast ⚑Field & ComplianceDaily logs · punch · COIs · notices ◈Project DeliveryRFIs · submittals · schedule risk
By role
GGeneral ContractorsRun the project, not the spreadsheets SSubcontractorsWin more bids, defend your scope EEstimatorsLevel bids in 47 seconds OOwners & DevelopersSee the project, not the noise CControllers / CFOWIP, cash, and margin in one place BPreconstruction / BDPursue and win the right work
Not sure where you fit? Bring 3 quotes to a 15-minute demo. Book a demo →
Platform Pricing Download
Resources
Help center News Changelog Blog
Tools
Tariff Calculator Incoterms Guide Material Price Tracking Supply Chain
Guides
RFP / RFQ Guide Vendor Management Construction Tech Guide How to Level Bids Construction Insurance Subcontractor Prequalification Contract Types & Clauses Payment & Cash Flow Prevailing Wage / Davis-Bacon Compliance & Regulatory Dispute Prevention Sustainable Procurement Small-Contractor Procurement AI & Digital Transformation
Start free Sign in
Trust · Security

Security-first. from day one.

Last updated: March 13, 2026

Overview

Core commitment: Construction procurement documents contain commercially sensitive bid data, contract terms, and vendor pricing. We designed Trueleveler so that documents you submit only to run an analysis are never written to persistent storage — not to a database, not to a file system, not to a log. They exist only in server memory for the duration of that request. Files you deliberately save to your workspace (the Documents area, Drawings, or engine PDFs you save) are a separate, opt-in path: they are stored in private, organization-scoped object storage, encrypted at rest and protected by row-level access controls, so you can use them again.

This page describes the technical and organisational security measures we have in place across Trueleveler's infrastructure, application layer, and third-party integrations. We update it as our controls evolve.

Data In Transit

All communication between your browser and Trueleveler's servers is encrypted using TLS 1.3. Older TLS versions (1.0, 1.1) and weak cipher suites are disabled. HTTP requests are automatically redirected to HTTPS. Our TLS configuration targets an A+ rating on SSL Labs.

Communication between Trueleveler's serverless functions and third-party APIs (AI provider, Supabase) is also over TLS 1.3 on dedicated HTTPS connections. No document data is transmitted over unencrypted channels at any point.

Data At Rest

Account data, saved analysis sessions, vendor records, and project metadata are stored in Supabase (PostgreSQL), which encrypts all data at rest using AES-256. Database backups are also encrypted.

Supabase enforces Row Level Security (RLS) policies on every table. All queries are scoped to the authenticated user's ID — it is not possible for a query to return another user's data, even with a valid session token.

Documents you submit only to run an analysis are not retained — they are processed entirely in server memory and not written to disk or database. Files you choose to save to your workspace are stored in a shared Supabase Storage bucket under organization-scoped Row Level Security and encrypted at rest; only members of your organization can access them, and you can delete them at any time.

Document Handling

There are two distinct paths, and they are handled differently.

1. One-off analysis is processed in memory only. When you submit a document just to run an analysis, its lifecycle is: receive over TLS → load into RAM → extract text → send to AI API over TLS → discard. No file write operations occur at any point in this pipeline. Specifically, for this path:

  • Documents are not written to Vercel's filesystem (ephemeral or otherwise)
  • Documents are not stored in object storage
  • Document contents are not written to application logs or error traces
  • Document contents are not cached at the CDN or edge layer

2. Files you save to your workspace are stored, by design. When you upload a file to the Documents area, add a drawing set, or save an engine PDF to a project, you are deliberately filing it for later use, so we keep it in private, organization-scoped object storage (Supabase Storage), encrypted at rest and scoped by Row Level Security so only your organization can reach it. You can delete these files at any time, and they are removed when you delete the project or close your account. Retaining document text for cross-document search is a further opt-in, off by default, controlled by an organization owner in Settings.

The only external service that receives document content is an AI processing API, which processes the text under the provider's API data processing terms. Those terms prohibit the provider from using API-submitted content to train models.

After the AI response is returned, the analysis result is either displayed in your browser session or saved to your account (if you choose to save it). Documents submitted only for one-off analysis are not retained.

API Key Management

Trueleveler's AI API key is stored exclusively as a server-side environment variable in Vercel. It is never exposed to the browser, never included in client-side JavaScript, and never logged.

All AI analysis requests from the browser are routed through a server-side proxy function that authenticates the request against Supabase, then forwards it to the AI API using the server-stored key. The raw API key is unreachable from the client under any circumstances.

Supabase credentials used server-side follow the same pattern: environment variables only, never bundled into client code.

Authentication

Authentication is handled by Supabase Auth, which uses industry-standard JWT (JSON Web Token) sessions. Passwords are hashed using bcrypt and never stored in plaintext. We do not have access to your raw password at any time.

Session tokens are short-lived and are validated server-side on every API request. Expired or invalid tokens are rejected with a 401 response — no document processing occurs without a valid authenticated session for paid features.

Single Sign-On (SSO) via Google Workspace and Microsoft 365 is available on Business and Enterprise plans — sign in with your existing corporate identity provider without managing a separate Trueleveler password. SAML SSO (Okta, Azure AD, OneLogin, generic SAML 2.0 identity providers) is available on Enterprise on request. Hardware security key (WebAuthn/FIDO2) authentication is planned for a future release.

Infrastructure

Trueleveler is deployed on Vercel's edge infrastructure, with compute distributed across Vercel's global edge network. Static assets are served from Vercel's CDN. Serverless functions run in isolated V8 isolates with no persistent state between requests.

Our database runs on a managed PostgreSQL service hosted in the United States. Automated backups with point-in-time recovery are maintained by the provider, which holds its own SOC 2 Type II certification. Sub-processor identity and exact region are disclosed in our Data Processing Agreement as required by GDPR Article 28.

Infrastructure dependencies:

  • Edge hosting + serverless — CDN, edge compute, serverless functions
  • Managed PostgreSQL (US) — database, authentication, row-level security
  • AI Processing API — AI analysis processing
  • Stripe — payment processing (PCI-DSS Level 1)
  • Resend — transactional email

SOC 2 Compliance

A formal SOC 2 Type II audit has not yet been engaged. We plan to initiate the audit as we scale, and our controls are already designed to meet SOC 2 requirements. Enterprise customers needing a security questionnaire response or a current controls overview today may contact hello@trueleveler.com.

Our current controls are designed to meet SOC 2 requirements:

  • Access control and least-privilege principles across all systems
  • Encryption at rest and in transit for all data
  • Automated monitoring and alerting for anomalous access patterns
  • Documented incident response procedures
  • Regular dependency audits and vulnerability scanning
  • Formal change management for all production deployments

Sub-processors

The following third-party services process data on Trueleveler's behalf:

  • Google LLC — AI analysis (document text, in transit only; not stored by Google per API terms). USA.
  • Supabase Inc. — database and authentication (account data, session history). USA.
  • Vercel Inc. — hosting and compute infrastructure. USA / global edge.
  • Stripe Inc. — payment processing (billing data only). USA. PCI-DSS Level 1.
  • Resend Inc. — transactional email. USA.

We review sub-processors annually and will update this list when sub-processors change. Material changes are communicated to registered users by email with 30 days' notice.

Incident Response

We maintain a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. Key commitments:

  • Detection: automated monitoring for anomalous API usage, failed authentication spikes, and provider infrastructure alerts
  • Initial response: within 4 hours of detection for severity 1 incidents
  • User notification: within 72 hours of confirmed breach affecting user data, in compliance with GDPR Article 33
  • Post-incident review: root cause analysis and remediation steps published to affected users

Because documents submitted for one-off analysis are not retained, a database breach would not expose that content — only account metadata (email addresses, analysis result text, and project names). Files you save to your workspace live in object storage protected by encryption at rest and organization-scoped Row Level Security, separate from the application database.

Penetration Testing

A third-party penetration test has not yet been engaged. We plan to commission an annual external penetration test alongside our SOC 2 Type II audit as we scale, covering OWASP Top 10 vulnerabilities, API authentication bypasses, injection attacks, and privilege escalation paths.

In the meantime, we run continuous automated vulnerability scanning via our dependency tooling and CSP violation reporting, and we welcome reports from security researchers under the responsible-disclosure policy below. Enterprise customers may request our current controls overview or security questionnaire response by contacting hello@trueleveler.com.

Responsible Disclosure

We welcome reports from security researchers. If you discover a vulnerability in Trueleveler's application or infrastructure, please report it to security@trueleveler.com.

Our disclosure policy:

  • We will acknowledge receipt within 24 hours
  • We will provide a status update within 5 business days
  • We ask researchers to allow us 90 days to remediate before public disclosure
  • We will credit researchers in our changelog (with permission)
  • We do not pursue legal action against researchers acting in good faith

Please do not access, modify, or exfiltrate user data during testing. Test against your own account only.

Security Contact

For security reports, vulnerability disclosures, enterprise security questionnaires, or to request our penetration test summary or current security questionnaire:

  • Email: security@trueleveler.com
  • PGP key: available on request

For general privacy questions, see our Privacy Policy. For terms of use, see our Terms of Service.

Trueleveler · trueleveler.com · Security · Last updated March 13, 2026

Trueleveler

28 AI engines. 22 unified trackers. One project memory.

Platform

Platform atlas Project Pulse Meetings Trackers Changelog

Engines

Bid Leveling RFI Drafter Submittal Reviewer Schedule Risk Contract Review

For

General Contractors Subcontractors Estimators Owners

Company

About Contact News Beta program Help center
© 2026 Trueleveler · 28 AI engines · 22 trackers · 4 tools · built for construction Terms Privacy Security DPA hello@trueleveler.com