Cornerstone ContractsBack to home

Trust & Security

Operational posture as of April 25, 2026

Cornerstone Contracts is built for Canadian construction businesses that handle sensitive prequalification data, bid pricing, and surety relationships. This page summarizes how we protect that data, what we have audited, and what we're working toward. For specific compliance questions or security disclosures, see the contact information at the bottom.

Data privacy

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation. Our complete privacy policy names every category of data we collect and every third-party processor that touches it.

  • Right to access & portability: request a complete export of your account data via your account settings (PIPEDA Principle 9).
  • Right to erasure: account deletion permanently purges your profile, bid history, and proposal drafts within 30 days. Anonymized aggregates may be retained for product analytics.
  • Data residency:primary data stored in Supabase's Canadian region where available; AI inference traffic routes to provider regions documented in the privacy policy.

Named data processors

We name every third-party service that touches user data, with a link to each provider's own posture page where one exists. Current processors:

  • Supabase — primary database, authentication, file storage. SOC 2 Type 2 (provider attestation).
  • Stripe — billing & subscriptions. PCI DSS Level 1 (provider attestation).
  • Anthropic Claude — proposal-draft generation. Zero-retention enterprise terms in effect.
  • Google Gemini — secondary AI inference (matching summaries).
  • Resend — transactional email delivery.
  • Vercel — application hosting + edge network.
  • Upstash — rate-limit + cache layer.
  • Sentry — error monitoring + performance tracing. Configured to redact PII; no AI prompt or response bodies recorded.
  • PostHog — product analytics (loaded only after explicit consent via cookie banner).
  • Google Analytics — site analytics (loaded only after explicit consent).

Application security controls

  • Transport: TLS 1.3 enforced. HSTS preload-listed (max-age 2 years, includeSubDomains).
  • Headers: Content Security Policy with strict source allow-list, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, Cross-Origin-Opener-Policy same-origin, Permissions-Policy locks camera / microphone / geolocation / FLoC.
  • Authentication: Supabase Auth with bcrypt-hashed passwords; magic-link sign-in supported. Sessions are HTTP-only secure cookies.
  • Authorization: Postgres row-level security policies enforce that users can only read/write rows they own. The matcher cron uses a dedicated service-role connection isolated from user-facing APIs.
  • Source code: private repository. Branch-protected main with required CI checks (lint, type-check, build, unit tests, accessibility tests) before merge.
  • Dependencies: automated security advisory monitoring; high-severity advisories patched within 7 days, criticals within 48 hours.

Monitoring & incident response

  • Error monitoring: Sentry with AI instrumentation on every model call, source-map upload on every deploy, and alerting on regression spikes.
  • Cron monitoring: every scheduled task (matcher, scrape, welcome sequence, cleanup) emits structured run telemetry to Sentry; failed runs page on-call.
  • Vulnerability disclosure: see /.well-known/security.txt (RFC 9116). We acknowledge receipt within 5 business days and provide a substantive response within 15.
  • Material incident notification: we will notify affected customers via email within 72 hours of confirming a material data incident.

Service availability

Service-level commitments by plan, governed by our terms of service.

  • Free: best-effort. No SLA.
  • Pro: 99.5% monthly uptime. Service credits available per terms.
  • Enterprise: 99.9% monthly uptime. Service credits available per terms.

Compliance roadmap

We document what is true today, not what we aspire to. Items below are work-in-progress and will be moved into the sections above with attestation links once complete:

  • SOC 2 Type 2 audit — scoping in progress; we do not currently hold our own SOC 2 attestation.
  • Public sub-processor change log — under construction; for now changes are reflected in the privacy policy "last updated" date.
  • Pen-test summary report — annual third-party penetration testing planned for 2026 H2.

Contact