DATA & SECURITY

Your production data is your competitive advantage. We built UnitPace to protect it.

AUTHENTICATION

TOTP-based two-factor authentication via any authenticator app. Optional per-user, enforceable org-wide by admins.

Minimum 10 characters, at least one uppercase letter and one number. Bcrypt-hashed with 12 salt rounds.

8-hour session timeout. Automatic re-authentication required after expiry.

After MFA verification, the device is remembered for 30 days via a signed, httpOnly cookie. New devices always require the code.

Six roles (Admin, PM, Superintendent, Estimator, Foreman, Viewer) with granular permissions. Per-user overrides available.

All data is scoped to your organization. No cross-tenant data access is possible at the query level.

New users join via admin-generated invite links with assigned roles. Links expire after 7 days.

All data stored in Neon Postgres with AES-256 encryption at rest. Backups are encrypted.

All connections use TLS 1.2+. HSTS enforced with a 2-year max-age, including subdomains.

Your data is yours. Always exportable as CSV. We never sell, share, or use your data for training models.

MFA backup codes are individually bcrypt-hashed. Each code is consumed on use.

Application hosted on Vercel with automatic scaling, edge network, and DDoS protection.

Neon Postgres with connection pooling, automated backups, and point-in-time recovery.

Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy enforced on all responses.

All state-changing API requests validated against origin and referer headers.

Automated weekly vulnerability scanning via GitHub Dependabot.

All authentication events, user changes, job actions, and administrative operations are logged with timestamps and actor identification.

All API inputs validated with schema-level checks before processing. Protection against injection attacks.

If you have security questions or need documentation for your organization's vendor review, send us a message.