Data Privacy
Security & Compliance
Security and Privacy First
Constructor was architected from the ground up with security and privacy in mind. Our system was intentionally designed to collect minimal personal data, and to keep all data safe and secure. Our customers trust us with their sensitive information, and we honor that trust by prioritizing security above all else. We recognize the importance of earning your trust, and we are committed to ensuring you're confident in our security measures, knowing that your data is fully safeguarded.
Our Practices
How we protect your data
Independent Assessments and Audits
Constructor’s service is independently audited under both the SOC2 Type 2 and ISO27001 frameworks. Reports are available via your account executive or customer success manager. A signed nondisclosure agreement is required to obtain the reports.
Constructor also continuously scans its environments and products for vulnerabilities and conducts external penetration tests at least once a year. Findings from these scans and tests are prioritized based on criticality and addressed in line with our development workflow and vulnerability management policy.
Access Controls
Users are managed with access controls that include multi-factor authentication, device trust, and strict role-based access management, adhering to key principles such as separation of duties, least privilege, and thorough auditing. Access to sensitive data is granted on a need-to-know basis, with personnel only having access to the information that they require in order to fulfill their duties.Resiliency
Constructor adheres to industry best practices to maintain a highly distributed and fault-tolerant environment. Our infrastructure ensures high availability across cloud availability zones and multiple geographic regions. To safeguard service continuity, our production systems are replicated across regions, ensuring Constructor services remain operational even during location-specific disaster events.
Secure by Design Development
Constructor employs multiple automated testing processes, including static application security testing (SAST) and dynamic application security testing (DAST) tools to enhance the security of our software within our build process. We analyze source code and dependencies as part of our secure software development lifecycle (SSDLC). Additionally, we enforce change controls in our production environments and continually monitor traffic for anomalies and threats.
Data anonymization practices
We use many practices to minimize compliance risks (using anonymous IDs, stripping the last octet of IP addresses, and hashing identifiers on a website-by-website basis) to ensure anonymous user identifiers cannot be linked back to PII.
Our Program
Other Security Features
DDOS Protection
We’re able to easily mitigate distributed denial of service attacks of any size to prevent outages.
OWASP Top 10 Compliant
We cover all bases of the O-WASP top 10 security risks of web applications.
NIST-compliant Coding Practices
We comply with NIST coding practices to minimize attack surface area.
Routine Chaos & Penetration Testing
Our dedicated security team routinely tests our infrastructure by introducing failure points and security threats in isolated environments so we can stay 1 step ahead of any potential attackers.
Top Scoring in Security Benchmarks
Constructor’s score in the Qualys SSL analysis is at the top of the industry when compared with our top 5 competitors.