Roofing data is sensitive — homeowner PII, contract values, payment info. Here's how we protect it. If you have a question we don't answer below, email security@roof10x.com.
SOC 2 Type II report available under MNDA — request via security@roof10x.com.
TLS 1.3 in transit. AES-256 at rest. Customer data is encrypted using customer-scoped keys; no shared encryption pool.
SSO via Google, Microsoft, and Okta. Role-based permissions on every record. Mandatory MFA for admin roles. Just-in-time access for the engineering team — no standing prod access.
Hosted on AWS (us-east-1, us-west-2, eu-west-1). Multi-AZ failover. 99.95% uptime SLA on the production tier. Quarterly DR drills.
Every read and write is audit-logged for 13 months. Customer-visible audit trail in the workspace. Anomaly detection on access patterns.
We never sell or share customer data. Homeowner PII is segregated in tenant-scoped stores. Customer-controlled deletion within 30 days of a written request.
24/7 on-call security rotation. Public status page at status.roof10x.com. Customer notification inside 24 hours of any confirmed incident — non-confirmed events get notified inside 72.
Updates to this list are emailed to security contacts on file 30 days before they go live.
We respond to all reports within one business day. Coordinated disclosure encouraged. We don’t pay bounties yet, but we name researchers in the public hall of fame and send a real invoice you can charge to your time.
EMAIL SECURITY