Security & trust

Trust & security as a baseline,
not an afterthought.

Construction operations run on sensitive documents — bid pricing, contracts, drawings, project records. We’ve built Pelles to handle them with the rigor a procurement team would expect, and this page tells you the truth about where every framework and control stands today.

  • SOC 2 Type II audit engaged
  • Annual Pen tests
  • No model training on customer data
01 · Frameworks

Compliance status

One row per framework. Status badges read green for attested, amber for in progress, and cyan for aligned (controls in place, no formal certification).

  • F-01
    SOC 2 Type IIAudit engaged. Report available to customers under NDA upon completion.
    In progress
  • F-02
    GDPRCustomer data handling and subject-access procedures align with EU and UK requirements.
    Aligned
  • F-03
    CCPA / CPRACustomer data handling and subject-access procedures align with California privacy requirements.
    Aligned
02 · Controls

What’s in place today

The technical and operational controls Pelles runs on right now. Every item below is true today — nothing aspirational on this page.

Encryption

AES-256 at rest. TLS 1.2+ in transit. Keys managed by industry-standard cloud KMS.

Access control

SSO and SAML available to enterprise customers on request. Role-based access control. Multi-factor authentication. Least-privilege internal access.

Tenant isolation

Multi-tenant by default with strict logical isolation. Single-tenant and customer-managed cloud deployments offered to enterprise customers on request.

Audit logging

Key user actions are logged with user, timestamp, and resource. Logs are exportable for customer audit needs.

Data handling

Project documents, conversations, and outputs stay isolated to your tenant. No cross-tenant data flow, no shared embeddings.

Model training

We do not train models on customer data — neither the documents you upload nor how you use the platform (queries, conversations, telemetry).

Infrastructure

Hosted on industry-leading cloud infrastructure (SOC 2 Type II and ISO 27001 attested). Automated backups.

Penetration testing

Annual third-party penetration test completed in 2026 (all resolved). Executive summary available to customers under NDA.

03 · Principles

How we think about security

The four ideas the technical controls above are built on. They shape every decision — not just the ones a checklist asks about.

  • P-01

    Least privilege by default

    Internal access to customer data is scoped to the minimum required and granted only when needed. Default-deny, not default-allow.

  • P-02

    Defense in depth

    No single control protects customer data. Encryption, tenant isolation, access controls, and audit logging operate independently — a failure in one shouldn’t compromise the rest.

  • P-03

    Customer data stays the customer’s

    Your project data is yours. We do not train models on it and do not use it to improve our product without explicit consent.

  • P-04

    Auditable by design

    Privileged actions are logged. Configuration changes are versioned. The platform is designed so that, when an auditor asks what happened, you can show them.

Have a security question or vendor review?

Reach out and we’ll route your request to the right person. We’ll get back to you within one business day to walk through whatever you need.

See what runs on top — Pelles Core or browse our integrations.

Contact us