BuildGrade is built with security as a first principle, not an afterthought. Here is how we protect your data and your clients' data.
Infrastructure
Hosting
BuildGrade runs on dedicated cloud infrastructure in the United Kingdom. All servers are isolated, access-controlled, and monitored 24/7. We do not use shared hosting environments.
Data in transit
All traffic between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across every endpoint and redirect all HTTP traffic automatically.
Data at rest
All database data is encrypted at rest. Backups are encrypted and stored separately from primary data.
Authentication
Password security
Passwords are never stored in plain text. We use bcrypt with a high work factor to hash all passwords before storage. We do not have access to your password.
Two-factor authentication
Two-factor authentication (2FA) via TOTP is available for all accounts. We recommend enabling 2FA on all Pro and Enterprise accounts.
Session management
Authentication is handled via Auth.js (NextAuth) with signed JWT tokens. Sessions expire after a period of inactivity. We support secure sign-out from all devices.
Access Control
Role-based permissions
Every project uses role-based access control (RBAC) with four roles: Owner, Admin, Member, and Viewer. Each role has a defined set of permissions. Users can only access data they have been explicitly granted access to.
Data isolation
All database queries are scoped to the authenticated user and their project memberships. It is architecturally impossible for a user to read or modify another organisation's data.
Invitation security
Project invitations use single-use, time-limited tokens. Tokens expire after 7 days and are invalidated on acceptance.
Payments
Stripe
All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment provider. BuildGrade never receives, stores, or transmits your card number, expiry date, or CVC. We store only your Stripe customer ID and subscription status.
AI and data usage
How is my project data used with AI?
When you generate a blueprint or estimate, your project description and structured answers are sent to OpenAI's API to produce the AI output. We do not use your project data to train models. OpenAI's API usage follows their enterprise data handling policy — inputs and outputs are not used for model training by default under the API terms.
Data residency
Your account and project data is stored in the United Kingdom. AI inference calls are routed to OpenAI's API infrastructure per their standard regional configuration.
Compliance
UK GDPR
BuildGrade is operated by GradeSpace Ltd, registered in England and Wales, and is compliant with UK GDPR and the Data Protection Act 2018. See our Privacy Policy for full details of your rights as a data subject.
Right to erasure
You can request deletion of all personal data at any time by emailing privacy@trybuildgrade.com. We will confirm and complete all deletion requests within 30 days.
Responsible disclosure
If you discover a security vulnerability in BuildGrade, please report it responsibly to security@trybuildgrade.com. We will acknowledge your report within 48 hours and work to resolve confirmed issues promptly. We do not pursue legal action against good-faith security researchers.