Trust & Security
C&I solar projects involve confidential financial data, proprietary site information, and competitive bidder material. We take that seriously — and we publish what we do, what we don't yet do, and what we're actively working on.
Last updated: 2026-05-01 · Posture review: quarterly.
Encryption at rest
AES-256
Postgres + S3 layers
Encryption in transit
TLS 1.3
All API + UI
Multi-tenant isolation
Row-level
Org scoping enforced
Retention default
7 years
Configurable per org
Every database query that reads or writes customer data carries an explicit org-scope check. Our internal audit (per our published security checklist) verifies that no API endpoint can return data belonging to another organization. The same isolation applies at the file-storage layer.
All data is encrypted at rest using AES-256 (Postgres TDE for structured data; S3 server-side encryption for documents). All API and UI traffic uses TLS 1.3. Credentials are never stored in plain text and never logged.
Customer-supplied text that flows into AI generation (proposal narratives, etc.) is wrapped in explicit fence markers with system-prompt directives that the content is data, not instructions. Output is validated for forbidden tokens. We follow the OWASP LLM Top 10 — see coverage table below.
All file uploads (dataroom documents, design site PDFs, equipment cut sheets) pass through shared middleware that validates content-type, sniffs magic bytes, sanitizes filenames, and enforces size caps. Uploads that don't match their claimed type are rejected.
Stripe webhook handlers verify signatures on every request. Only the publishable key is in any client-bundled code. The webhook secret is server-side only, rotated quarterly.
We run dependency vulnerability audits (npm audit) on every release. Critical and high CVEs are fixed before deployment; medium and low are tracked with public remediation timelines.
Our coverage of the OWASP-published top vulnerabilities for AI-augmented applications.
| ID | Vulnerability | Status |
|---|---|---|
| LLM01 | Prompt Injection | ✓ Mitigated — fenced inputs, output validation |
| LLM02 | Insecure Output Handling | ✓ Mitigated — model output never executed; HTML-escaped |
| LLM03 | Training Data Poisoning | N/A — we use providers' models; no custom training |
| LLM04 | Model Denial of Service | ✓ Mitigated — token caps + rate limiting |
| LLM05 | Supply Chain Vulnerabilities | ✓ Mitigated — quarterly npm audit; CVE remediation |
| LLM06 | Sensitive Information Disclosure | ✓ Mitigated — org scoping + error redaction + log scrubbing |
| LLM07 | Insecure Plugin Design | N/A v1 — no plugin model yet |
| LLM08 | Excessive Agency | ✓ Mitigated — model output never auto-executes; human-in-loop on submissions |
| LLM09 | Overreliance | ✓ Mitigated — every AI output is reviewable + editable before delivery |
| LLM10 | Model Theft | N/A — we are a model consumer, not provider |
Honest list. We'd rather tell you up front than have you find out in due diligence.
SOC 2 Type II
Not yet certified. Triggered by a paying enterprise customer requiring it (typically B3 financiers). Estimated 4-6 months from kickoff to attestation. We're prepared — controls are documented, evidence is collected.
HIPAA
Not applicable to commercial solar workflow. Not on roadmap unless a healthcare-adjacent use case emerges.
Penetration testing — third-party
Internal security audit completed Q2 2026. External pen test scheduled when our first paying enterprise customer requires it (typically packaged with SOC 2).
Data residency in EU / outside US
Currently US-only (AWS us-east + us-west). EU residency available on request for enterprise contracts; GDPR-compliant DPA included.
We respond to security questionnaires within 5 business days. We can also share our security audit report under NDA on request.
Vulnerability disclosures: we acknowledge within 24 hours. Coordinated disclosure preferred. We don't currently run a paid bug bounty.