Security and Privacy at Oversite
Construction and Engineering data is sensitive ... project financials, inspection records, contractual obligations. Protecting that data isn’t just a feature. It’s a responsibility we take seriously every day.
Governance
Oversite’s security program is built on clear policies, proactive monitoring, and continuous improvement. We design our controls around a set of foundational principles:
Principle 01 — Least Privilege
Access is limited to individuals with a legitimate business need and granted based on the principle of least privilege. Every user, service, and integration operates with the minimum permissions required.
Principle 02 — Defense in Depth
Security controls are implemented in layers so that no single point of failure compromises the system. From network segmentation to application-level protections, we build redundancy into every layer.
Principle 03 — Consistency
Controls are applied uniformly across all areas of the platform — production infrastructure, internal tools, and third-party integrations.
Principle 04 — Continuous Improvement
Our security posture is iterative. We continuously mature across effectiveness, auditability, and reduced friction — using automated monitoring, regular reviews, and feedback loops.
Compliance & Certifications
SOC 2 Type II
Oversite is pursuing SOC 2 Type II attestation, with a target completion in Q2 2026. This audit covers the security, availability, and confidentiality trust service criteria across our entire platform and infrastructure.
Ongoing Compliance Program
Oversite evaluates compliance requirements continuously based on our client base — public agencies, DOTs, and engineering firms — and evolves our program accordingly. We are actively evaluating additional frameworks including ISO 27001 to meet the needs of our expanding client base.
Data Protection
Data at Rest
All customer data is encrypted at rest using AES-256 encryption. Our DigitalOcean managed PostgreSQL databases and all associated storage volumes enforce encryption by default. Sensitive fields receive additional application-level encryption before reaching the database.
Data in Transit
All data transmitted between clients and Oversite is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and use HSTS headers to prevent protocol downgrade attacks.
Secret Management
Application secrets, API keys, and credentials are stored securely using environment-level secret management with strict access controls. Secrets are never committed to source code, and access is limited to production systems that require them.
Backups & Recovery
Oversite maintains automated daily backups of all customer data with point-in-time recovery capabilities. Backups are encrypted and stored in geographically separate locations from our primary infrastructure.
Product Security
Secure Development Lifecycle
Security is integrated into every phase of our SDLC. Code changes go through mandatory peer review, automated testing, and security analysis before reaching production. We use GitLab CI/CD pipelines with built-in security gates.
Automated Security Reviews
After significant code changes, Oversite runs automated security reviews that scan for vulnerabilities, misconfigurations, and security regressions. These reviews are part of our continuous integration pipeline and block deployments that don’t meet our security standards.
Vulnerability Management
We maintain a structured vulnerability management program that includes static application security testing (SAST) during code review, dependency scanning to identify known vulnerabilities in third-party libraries, and automated monitoring for newly disclosed CVEs affecting our technology stack.
Penetration Testing
Oversite engages independent security professionals to conduct penetration testing against our application and infrastructure. Results are remediated on a risk-prioritized basis, and summary findings are available to customers upon request.
Infrastructure Security
Cloud Infrastructure
Oversite is hosted on DigitalOcean, a SOC 2 Type II and ISO 27001 certified cloud provider. Our infrastructure is deployed in US-based data centers with built-in redundancy, network isolation, and managed firewall rules.
Network Security
Our production environment uses Virtual Private Cloud (VPC) networking with strict ingress and egress controls. Internal services communicate over private networks, and public-facing endpoints are protected by managed load balancers and firewalls. Connection pooling via PgBouncer ensures database connections are managed efficiently and securely.
Monitoring & Incident Response
Oversite maintains real-time monitoring of application performance, error rates, and security events. Our incident response process includes defined severity levels, escalation paths, and post-incident review procedures to continuously strengthen our defenses.
Enterprise Security
Endpoint Protection
All team devices are centrally managed with mobile device management (MDM) software that enforces disk encryption, screen lock policies, automatic OS updates, and malware protection.
Identity & Access Management
Oversite enforces single sign-on (SSO) and multi-factor authentication (MFA) for all internal systems. Access to tools and production infrastructure is role-based and follows the principle of least privilege. Access is automatically revoked upon role changes or offboarding.
Vendor Security
Third-party tools and services are evaluated for security posture before adoption and reviewed periodically. We assess each vendor’s access to customer data, integration with production systems, and compliance certifications before granting approval.
Security Awareness
All team members receive security training during onboarding and on a recurring basis. Training covers phishing awareness, secure coding practices, data handling procedures, and incident reporting.
Data Privacy
At Oversite, data privacy is a first-class priority. We are stewards of sensitive construction data — project financials, inspection records, personnel information — and treat that responsibility with the care it demands.
Data Ownership
Your data belongs to you. Oversite processes customer data solely to provide and improve our services. We do not sell, share, or monetize customer data under any circumstances.
Data Residency
All customer data is stored in US-based data centers. Customers requiring specific data residency arrangements can contact us to discuss options.
Regulatory Compliance
Oversite monitors regulatory developments relevant to our client base — including state and federal data protection requirements affecting public agencies and construction firms — and adapts our program accordingly.
Privacy Policy & Data Processing
View Oversite’s Privacy Policy at addoversite.com/privacy. For data processing questions or to request a Data Processing Agreement (DPA), contact security@addoversite.com.
Have Security Questions?
We welcome questions about our security program. Whether you’re filling out a vendor security questionnaire or evaluating Oversite for your organization, we’re here to help.
Email: security@addoversite.com
For general inquiries or to schedule a demo, visit addoversite.com/contact.
Let’s Work Together
Get in touch so we can start working together.
