Your documents are the whole business.
Pay applications, change orders, contracts — the paper we process is financially sensitive by definition. Here is, concretely, how it’s protected.
Encryption
- All traffic is encrypted in transit with TLS.
- Project files are stored in AWS S3, which applies server-side encryption (AES-256) to all stored objects.
- Application data lives in Render's managed PostgreSQL, which encrypts data at rest per Render's platform documentation.
Access control & tenant isolation
- Every firm's data is scoped at the query layer — users only ever see their own firm's projects and documents.
- Role-based permissions (member, firm admin, owner) gate administrative actions.
- Sensitive operations — ownership transfers, role changes, account removals — require step-up re-authentication, not just an active session.
- Sessions use httpOnly cookies with CSRF protection on every state-changing request, plus rate limiting on authentication endpoints.
Auditability
- Administrative and security-relevant actions are recorded in an append-style audit log with built-in integrity verification.
- Legal documents (Terms, Privacy) are versioned with hash-pinned archives — we can prove exactly what text any user agreed to, and when.
AI & your data
- Document understanding runs on Anthropic's Claude models via API.
- Your documents are not used to train AI models — ours or anyone else's. This commitment is written into our Privacy Policy, covering both first- and third-party models.
- AI answers cite their sources: page-level references back to your own documents, so every claim is checkable.
Subprocessors
The services that touch customer data, and why:
| Provider | Purpose |
|---|---|
| Render | Application hosting and managed PostgreSQL database |
| Amazon Web Services (S3) | Encrypted document storage |
| Anthropic | AI document processing (no-training commitment) |
| Google (Analytics) | Public-website usage analytics — consent-based in the EEA/UK/CH; never inside the product |
| Microsoft 365 | Business email and support communications |
A Data Processing Addendum is available on request, and security questions or vulnerability reports are welcome at privacy@ovrsite.ai.