Estimatics

Security Overview

Effective Date: 2026-01-01Version: 1.3Last Updated: March 1, 2026

Security Overview

Effective Date: January 1, 2026 Version: 1.3 Last Updated: March 1, 2026

Estimatics maintains a comprehensive security program designed to protect the confidentiality, integrity, and availability of customer data. This document summarizes the key technical and organizational controls in place.

1. Infrastructure Security

1.1 Cloud Provider

The Estimatics Platform is hosted on Amazon Web Services (AWS) in the US East (Northern Virginia) region. AWS maintains SOC 2 Type II, ISO 27001, and PCI DSS certifications.

1.2 Architecture

The Platform uses a multi-layered cloud architecture:

ComponentTechnology
ComputeEC2 Auto Scaling Groups (minimum 2 instances)
Load BalancingApplication Load Balancer (ALB)
DatabaseAurora PostgreSQL 17.4 (managed RDS)
File StorageEFS (shared), S3 (media and assets)
Cache / QueuingElastiCache Valkey (Redis-compatible), SQS
CDNCloudFront
MonitoringCloudWatch, automated alerting

1.3 Network Security

  • All traffic is routed through the ALB with TLS 1.2+ termination
  • Security Groups enforce least-privilege network access between components
  • Database and cache tiers are not publicly accessible
  • VPC isolation separates production, UAT, and development environments

2. Data Security

2.1 Encryption at Rest

All customer data — photographs, videos, job records, reports — is stored with AES-256 encryption at the storage layer. Database volumes and S3 buckets are encrypted using AWS KMS-managed keys.

2.2 Encryption in Transit

All data transmitted between clients and the Platform uses TLS 1.2 or higher. Internal service-to-service communication within the Platform is encrypted. Redis/Valkey connections use TLS (rediss:// scheme).

2.3 Media Storage

Customer photographs and videos are stored in private S3 buckets. Access is controlled via short-lived pre-signed URLs. Direct public access to media is not permitted.

2.4 Database Security

Aurora PostgreSQL databases are deployed in private subnets with no public endpoint. Access requires authentication through the application layer. Automated backups are retained for 7 days with point-in-time recovery capability.

3. Application Security

3.1 Authentication

  • JWT-based authentication with short token lifetimes
  • Secure password storage using bcrypt hashing
  • Session isolation between users and organizations
  • Multi-device session management with explicit logout support

3.2 Authorization

  • Role-based access control (RBAC) with five defined roles
  • Organization-level data isolation — users cannot access data outside their organization
  • Middleware-enforced authorization on all API endpoints
  • Super Admin role provides cross-organization access for platform administration only

3.3 API Security

  • All API endpoints require authentication
  • Input validation and sanitization on all user-submitted data
  • Rate limiting on public and authenticated endpoints
  • CORS policy restricts cross-origin requests

3.4 iOS App Security

  • Certificate pinning on API communications
  • No plaintext storage of credentials on device
  • Keychain storage for authentication tokens
  • Camera, microphone, and location permissions governed by iOS permission system

4. Operational Security

4.1 Access Controls

  • Production systems are accessible only via AWS SSM Session Manager (no direct SSH)
  • IAM roles follow least-privilege principles
  • Multi-factor authentication required for all administrative accounts
  • Access reviews conducted quarterly

4.2 Deployment Security

  • All deployments follow a defined SOP with integrity verification
  • Code changes require review before deployment
  • Deployment artifacts are integrity-checked prior to release
  • Previous releases are retained for rapid rollback

4.3 Monitoring and Alerting

  • Continuous monitoring of system health, error rates, and security events
  • Automated alerting for anomalous activity
  • Log aggregation and retention for security investigations

5. Incident Response

Estimatics maintains an incident response plan that includes:

  • Defined escalation paths for security incidents
  • 72-hour notification commitment for confirmed data breaches affecting customer data, in accordance with applicable regulations
  • Post-incident review process

To report a security concern: security@aiestimatics.com

6. Responsible Disclosure

We welcome security researchers who identify vulnerabilities in the Platform. Please report findings responsibly to security@aiestimatics.com. We commit to acknowledging reports within 5 business days and to working collaboratively toward resolution.

Contact

security@aiestimatics.com

Questions about this document? legal@aiestimatics.com