Security & Trust

Built for construction-grade accountability.

Federal-adjacent customers are in our pipeline from day one, so the architecture is designed for CMMC L1 self-attest at launch and L2-ready from the start. SOC 2 Type 2 follows in Phase 2/3.

Identity & Access

Cognito user pool authentication
JWT-based access with short expiry
Role-based + project + account-scoped permissions
Multi-tenant isolation at every query via RLS
OAuth 2.1 AS in front of Cognito for MCP clients

Data Protection

Data encrypted at rest (AWS RDS encryption)
TLS 1.2+ in transit
S3 bucket objects encrypted (SSE-S3)
Audit log — immutable, who did what when
No PHI or financial account credentials stored

Infrastructure

AWS (us-west-2) — VPC, private subnets for RDS
CloudFront + OAC (no public S3)
SQS dead-letter queues for job durability
CloudWatch metrics + alarms
Principle of least privilege IAM roles

Compliance posture

CMMC Level 1 self-attest at launch
L2-ready architecture from day one
SOC 2 Type 2 on Phase 2 / Phase 3 roadmap
GDPR-aware data handling (see Privacy Policy)
Data retention engine with configurable per-entity rules

CMMC L1 → L2

Federal-adjacent ready.

Construction firms working on government projects — defense facilities, federal infrastructure, federally-funded public works — face CMMC requirements for CUI handling. Taqql's architecture was designed with this in mind from the first data model decision.

CMMC L1 self-attestation at launch (17 practices covered)
L2-ready architecture: controls, audit log, access policy stack in place
System Security Plan (SSP) maintained internally; available on request under NDA
Incident Response Plan (IRP) and BCP/DRP in place

Data handling

What we collect and why.

📍

Geo-location

Stamped on field entries (timesheets, expenses, receiving, safety) for audit and compliance. Not used for continuous tracking. Stored per-entry, never streamed.

🎤

Voice / audio

Used for time entry and Q commands. Transcribed in-session; raw audio is not persisted after the transaction is confirmed. Transcripts are stored as part of the entry record.

📸

Photos / documents

Attached to expenses, receipts, daily reports, receiving records, and safety incidents. Stored in S3, accessible only to authorized users in your org. Thumbnails generated server-side; originals retained per your retention policy.

🤖

AI processing

Material requests, invoice OCR, voice transcription, and Q responses use Amazon Bedrock. Your data is processed in-session; it is not used to train Bedrock foundation models. See our Subprocessors page.

Common questions

Security FAQ

Where is data stored?

AWS us-west-2 (Oregon). Database on RDS PostgreSQL in private subnets with no public endpoint. File storage in S3 with CloudFront-only access.

Who can access my organization's data?

Only users you add to your org, with the roles you assign. Platform staff may access for support only with a logged reason. Row-level security enforces org isolation at the database layer — misconfigured application code cannot return another tenant's data.

Does Taqql store payroll or banking credentials?

No. Payroll integrates via ADP's API with OAuth tokens scoped to export-only. Banking credentials are never stored — payment flows go through your accounting system (Digits).

What AI models process my data?

Amazon Bedrock (Claude model family) for on-platform AI features. Your data is not used to train foundation models. See our Subprocessors page for details.

How is voice data handled?

Voice recordings are transcribed on-device where possible or via a short-lived in-memory processing pipeline. Transcripts are stored; raw audio is not retained after confirmation.

Does the mobile app require internet to function?

No. All field-capture flows work offline. Data is stored locally on the device and synced when connectivity returns, with per-entity conflict resolution rules.

Questions about our security posture?

Reach out at security@taqql.io or request a call when you join the Beta waitlist.

Request Beta Access