Data Privacy

Security & Compliance

Security and Privacy First

Constructor was architected from the ground up with security and privacy in mind. Our system was intentionally designed to collect minimal personal data, and to keep all data safe and secure. Our customers trust us with their sensitive information, and we honor that trust by prioritizing security above all else. We recognize the importance of earning your trust, and we are committed to ensuring you're confident in our security measures, knowing that your data is fully safeguarded.

Our Practices

How we protect your data

Independent Assessments and Audits

Constructor’s service is independently audited under both the SOC2 Type 2 and ISO27001 frameworks. Reports are available via your account executive or customer success manager. A signed nondisclosure agreement is required to obtain the reports.

Constructor also continuously scans its environments and products for vulnerabilities and conducts external penetration tests at least once a year. Findings from these scans and tests are prioritized based on criticality and addressed in line with our development workflow and vulnerability management policy.

Access Controls

Users are managed with access controls that include multi-factor authentication, device trust, and strict role-based access management, adhering to key principles such as separation of duties, least privilege, and thorough auditing. Access to sensitive data is granted on a need-to-know basis, with personnel only having access to the information that they require in order to fulfill their duties.

Resiliency

Constructor adheres to industry best practices to maintain a highly distributed and fault-tolerant environment. Our infrastructure ensures high availability across cloud availability zones and multiple geographic regions. To safeguard service continuity, our production systems are replicated across regions, ensuring Constructor services remain operational even during location-specific disaster events.

Secure by Design Development

Constructor employs multiple automated testing processes, including static application security testing (SAST) and dynamic application security testing (DAST) tools to enhance the security of our software within our build process. We analyze source code and dependencies as part of our secure software development lifecycle (SSDLC). Additionally, we enforce change controls in our production environments and continually monitor traffic for anomalies and threats.

Data anonymization practices

We use many practices to minimize compliance risks (using anonymous IDs, stripping the last octet of IP addresses, and hashing identifiers on a website-by-website basis) to ensure anonymous user identifiers cannot be linked back to PII.

Our Program

Other Security Features

ddos

DDOS Protection

We’re able to easily mitigate distributed denial of service attacks of any size to prevent outages.

owasp

OWASP Top 10 Compliant

We cover all bases of the O-WASP top 10 security risks of web applications.

nist

NIST-compliant Coding Practices

We comply with NIST coding practices to minimize attack surface area.

penetration-testing

Routine Chaos & Penetration Testing

Our dedicated security team routinely tests our infrastructure by introducing failure points and security threats in isolated environments so we can stay 1 step ahead of any potential attackers.

qualys

Top Scoring in Security Benchmarks

Constructor’s score in the Qualys SSL analysis is at the top of the industry when compared with our top 5 competitors.