Overview
At Siteline, we know that trust is earned, and security is central to that trust. This document provides a clear overview of how we secure customer data, maintain platform reliability, and support enterprise-readiness through transparent and well-structured practices. It reflects the standards we hold in serving construction accounting teams across the industry.
Hosting and Infrastructure
Siteline is built on secure, modern cloud infrastructure. We rely on Google Cloud Platform (GCP) to ensure our architecture is resilient, scalable, and protected by one of the world’s most trusted cloud providers. All customer data is encrypted—both at rest and in transit—and every component of our stack runs in secure, monitored environments.
Hosted on Google Cloud Platform using Cloud Run and Cloud SQL
Data encrypted in transit (HTTPS/TLS) and at rest using Google’s default encryption
Authentication powered by Firebase Auth
Siteline doesn’t store passwords in our systems. Authentication is handled through Google Cloud Identity, a secure and trusted identity management platform.
Access & Permissions
We protect your data by ensuring only the right people have access to it. From your team to ours, Siteline enforces strict access control policies. Authentication is handled by Firebase with secure session tokens. Role-based access ensures that only authorized users can view or modify data. Internally, we enforce 2FA and follow least-privilege principles.
SSO support available (e.g., Microsoft Azure/AD)
Company-wide MFA is available and configurable by admins
Granular role-based permissions for all users
2FA is required for Siteline employees, and database access is limited to a small group of engineers
Backups and Data Retention
Your billing data is critical. We treat it like it is. We take frequent, encrypted backups to ensure you never lose essential financial records. In addition to daily snapshots, we back up before every deployment and retain PDFs permanently. Even in the event of an error or outage, we can restore data quickly.
Daily encrypted backups since 2021
Deployment-triggered backups to prevent data loss
No automatic deletion of final pay app PDFs
Daily backups enable data recovery in the event of a system failure, but they’re not intended for restoring individual user-deleted content.
Integrations and Third Parties
Siteline integrates with your systems securely and stays in its lane. We connect to ERPs and GC portals through secure HTTPS protocols. Integration permissions are scoped and controlled entirely by the customer. Credentials are encrypted, and Siteline only reads or writes billing-related data, never altering project settings or pushing changes upstream.
Encrypted credentials are stored using a key managed securely within our integration service
No modification of permissions or third-party settings
ERP access is handled through Agave (SOC 2-certified), with some legacy support via hh2. GC portal connections use secure HTTPS APIs.
Siteline exports billing-related documents only when triggered by a user, never automatically or without customer control. We do not have full write access to your systems.
Analytics and Error Reporting
We track what matters and protect what’s private. To improve the product and troubleshoot errors, we send limited event data to trusted analytics and debugging tools. We never share sensitive customer data or financials—only scoped metadata like user IDs and basic click/error activity.
Sentry for error tracking
Segment and Mixpanel for behavioral analytics
Only anonymized or minimal metadata is shared; sensitive data stays within Siteline
Security Incidents and Incident Response
We’ve built strong safeguards to stay ahead of threats and respond quickly when issues arise. Siteline has maintained a strong security record since its launch. In rare instances where a third-party provider experienced a breach (e.g., CircleCI, Codecov), we responded immediately by rotating credentials, reviewing systems, and evaluating any potential exposure. While we’re not aware of any unauthorized access, we treat these events seriously and act with caution.
No confirmed unauthorized access to Siteline systems or customer data
Credential rotation and system reviews following third-party security events
Clear internal ownership and communication protocols for rapid response
Responsible Use of AI
We only use AI where it makes sense and always with control and transparency. Siteline uses AI selectively to streamline specific workflows, like lien waiver validation, powered by Google Gemini. The feature is off by default and does not train on customer data. Any future AI capabilities will follow the same principles: security, transparency, and customer control.
AI-powered lien waiver validation is available (optional and off by default)
Currently powered by Google Gemini, part of Google Cloud. Gemini does not train on customer data when used via paid services
Certifications and Compliance
We prioritize practical, reliable security and rely on trusted infrastructure and certified partners to support it. We’ve built Siteline’s infrastructure, data practices, and access controls on a solid foundation. We host our platform on Google Cloud, which adheres to major global compliance standards, and we work with SOC 2-certified partners, like Agave, to ensure secure ERP integrations.
Secure infrastructure backed by Google Cloud’s compliance standards
Agave (ERP integration partner) is SOC 2-certified
Encryption, access control, and authentication are aligned with modern security expectations
Data Retention and Deletion
We retain critical financial and project data to support auditability, continuity, and peace of mind. Customer data is stored securely and backed up daily in Google Cloud. We use soft-deletion within our application, meaning most deleted records are preserved in the database unless otherwise specified. We retain key documents, like signed pay applications and attachments, indefinitely.
Daily and pre-deployment backups of customer data stored in Google Cloud SQL, dating back to 2021
Soft-deletion model: most records are marked as deleted but remain in the database
Exceptions to soft-deletion exist in limited cases for technical reasons
Final documents (e.g., signed pay apps) stored in Google Cloud Storage are never deleted
Monitoring and Operational Reliability
Siteline is built for reliability, and we constantly monitor our systems to keep it that way. We’ve invested in tools and processes that help us detect and respond to issues in real time. Our infrastructure is backed by high-availability guarantees from providers, like Google Cloud and Cloudflare, and we’re set up to escalate and resolve problems quickly, often before they impact customers.
Uptime checks every minute across all public-facing services (web app, API, integrations)
Real-time alerts and a structured escalation process ensure engineering is looped in immediately—whether through automated monitoring or customer reports
Continuous error tracking across the entire stack, with engineering prioritizing urgent issues
Underlying platforms offer strong SLAs, including:
Google Cloud SLA (Cloud Run, SQL, Storage, etc.)
Cloudflare Pages SLA – 100% uptime