Security & Trust

Your drawings, protected at every layer

Construction drawing sets are sensitive intellectual property. Clash Nexus AI is built so your documents stay private to your team — isolated, encrypted, access-controlled, and monitored from upload through report.

Tenant isolation

Every project, drawing, and finding is scoped to your workspace. API requests are authorized against your workspace on each call, and storage access is verified to belong to your tenant before any file is served — so one customer's drawings are never reachable by another.

Encrypted storage

Drawings are stored in managed object storage with encryption at rest. Private files are never publicly mounted in production — they are reachable only through short-lived signed URLs issued to authorized users.

Signed-URL access

Access to a drawing or report is granted through a time-limited signed URL tied to the requesting user's workspace. Links expire, and paths outside your project are rejected before a URL is ever minted.

Validated uploads

Uploads are checked server-side: PDF-only by file signature (not just file name), per-file size limits, and a strict check that each committed file lands inside your own project folder. Spoofed or out-of-scope files are rejected on arrival.

Locked-down CORS

In production the API accepts requests only from our exact domains — no wildcard preview origins. Credentialed cross-origin requests from unknown sites are refused.

Security headers

Responses carry a hardened header set — HSTS, frame-denial, content-type protection, a strict referrer policy, and a Content-Security-Policy — reducing the surface for clickjacking, MIME sniffing, and injection.

Audit logging

Key actions — uploads, project creation, report exports, and administrative changes — are recorded with the acting user and timestamp, giving a traceable history of who did what.

Least-privilege access

Sensitive operations are permission-gated, administrative surfaces require elevated access, and we avoid shipping user PII to third-party monitoring.

Continuous monitoring

Application errors are captured and monitored in real time so issues are detected and resolved quickly, before they affect your coordination work.

Responsible disclosure

We take security seriously and welcome reports from researchers. If you believe you've found a vulnerability, please contact us so we can investigate and address it promptly. We're continually hardening the platform as we grow.

Contact our team

This page describes controls currently in place and is provided for transparency; it is not a contractual commitment or a substitute for a formal security review.