Security & trust

Your data belongs to you.
We make sure it stays that way.

BOMSync is built on a simple principle: your organization’s work, contracts, and signatures are yours alone. We have architected the platform from the ground up so that no other organization can ever see your data — and so that you can prove the integrity of every agreement you sign.

Microsoft Azure
Encrypted everywhere
Defense-in-depth
eIDAS & ESIGN compliant
Defender for Cloud
Global compliance roadmap

How we protect you

Nine commitments we make to every customer

Your data never touches another customer’s

Every organization on BOMSync has its own dedicated, isolated database. It is physically separate from every other customer’s data. There is no shared pool, no risk of accidental commingling.

Encrypted in transit and at rest, always

Every byte traveling between your browser and BOMSync is protected by TLS encryption. Your stored data — files, contracts, project records — is encrypted at rest on Microsoft Azure. No exceptions.

Multiple layers of network protection

BOMSync runs inside Microsoft Azure’s defense-in-depth framework: automatic DDoS protection, network-level firewall, and traffic isolation between every service layer — so threats are stopped well before they reach your data.

Passwords and secrets are never stored as plain text

Your password is hashed using a modern, one-way algorithm before it is ever saved. API keys and connection credentials are held in Azure Key Vault — a FIPS 140-3 certified hardware secrets store — and never embedded in code.

Every signed agreement is cryptographically anchored

When you sign in BOMSync, the system creates a tamper-evident fingerprint of the document. If a single character were ever changed afterward, the fingerprint would no longer match — giving you independent proof of the document’s integrity.

A complete, permanent audit trail

Every action on a contract or agreement is recorded — who made it, when, and from where. Records are never deleted. Voids and amendments stay on file with a written reason, giving you a clear history for any audit or legal review.

Continuous threat monitoring

Microsoft Defender for Cloud and Azure Monitor watch BOMSync’s infrastructure around the clock, detecting suspicious activity and surfacing security alerts before they become incidents.

Automatic backups with point-in-time recovery

Azure Backup protects every database continuously. If anything were ever to go wrong, we can restore your data to any point in the retention window — giving you a safety net as well as a security posture.

AI features operate under human oversight

BOMSync’s AI capabilities are designed so that any significant suggested action requires explicit human approval before it takes effect. Every AI-suggested change is logged and reviewed — the system never acts unilaterally on your data.

Data ownership

Your project data is yours alone

BOMSync is a multi-organization platform, but it does not work like a shared spreadsheet. Every organization — every contractor, every design firm, every public agency — has a dedicated database that belongs exclusively to them.

Our global platform manages sign-in and billing in a separate, isolated system. Your operational data — your items, BOMs, projects, purchase orders, work orders, and Gantt schedules — never lives anywhere near it.

When you choose to share data with a partner or subcontractor, that is an explicit action you take. Nothing is shared by default.

Electronic signatures

Signatures you can stand behind in court

BOMSync captures far more than a drawn signature. Every time you sign, we record the complete picture: your verified identity, the exact text you agreed to, the precise time you signed, and a cryptographic fingerprint that permanently links your signature to that exact document — not a copy, not a version, but that specific set of bytes.

Verified identity

Your name, verified email address, and handwritten signature image are captured and stored securely together.

Precise timestamp

The exact date and time of signing is recorded by our servers β€” not your device β€” so the record is independently trustworthy.

What you agreed to

The exact words you agreed to are stored verbatim alongside your signature, preserving the complete record of your intent.

Cryptographic proof

A SHA-256 fingerprint of the signed document is locked to the agreement. Any future change to the document would be immediately detectable.

Legal compliance

BOMSync signatures are Simple Electronic Signatures — the established legal standard for online B2B commercial agreements. They are recognised and enforceable in every major jurisdiction where our customers operate.

United States

ESIGN Act & state UETA

European Union

eIDAS Regulation, Article 25

United Kingdom

Electronic Communications Act 2000

Other regions

Ask us — we map requirements to your jurisdiction

For construction workflows requiring a stronger signature standard — such as Qualified Electronic Signatures for EU regulated deliverables or Advanced Electronic Signatures for US federal contracts — BOMSync’s signature stack is built to upgrade. Our roadmap includes certificate-based signing, trusted timestamps, and long-term validation. Contact us to discuss your specific requirements.

Infrastructure

Built on Microsoft Azure — the most trusted cloud for regulated industries

BOMSync runs entirely on Microsoft Azure, giving your data the benefit of Microsoft’s global security investment, data-center compliance portfolio, and enterprise-grade availability guarantees.

Encrypted databases

All data at rest is protected by Azure SQL’s built-in Transparent Data Encryption. Point-in-time restore is enabled for every database.

Encrypted file storage

Your project files, BIM models, and signed documents are stored in Azure Blob Storage with server-side encryption (AES-256) applied automatically on every write.

Hardware-backed secrets (FIPS 140-3)

Every credential BOMSync uses internally is held in Azure Key Vault, backed by hardware security modules certified to FIPS 140-3 Level 3 — never hard-coded anywhere.

HSTS enforced

Your browser is instructed to refuse any unencrypted connection to BOMSync. There is no fallback to HTTP — ever.

Azure Backup & point-in-time restore

Your data is backed up continuously using Azure’s automated backup service. We can restore any database to any point within the retention window.

No ads. No data selling.

BOMSync is a professional B2B platform. We do not sell your data, share it with advertisers, or use it to train external models without your consent.

Azure Firewall & DDoS protection

BOMSync benefits from Azure’s cloud-native firewall and automatic DDoS protection, which shields infrastructure from network-layer attacks without any configuration on your part.

Network isolation

Azure Virtual Network boundaries and Network Security Groups keep BOMSync’s services isolated from each other and from the broader internet, restricting traffic to only what is explicitly permitted.

Defender for Cloud & Azure Monitor

Microsoft Defender for Cloud continuously monitors BOMSync’s Azure resources for threats and misconfigurations. Azure Monitor collects audit logs and diagnostics for security analysis.

Microsoft Entra ID & least-privilege access

BOMSync uses Microsoft Entra ID as its identity platform. Azure Role-Based Access Control ensures every internal service can only access exactly what it needs — nothing more.

Time-limited file access

When BOMSync grants access to a file, it uses Azure’s Shared Access Signature tokens — short-lived, scoped permissions that expire automatically and never expose persistent account keys.

Defense-in-depth by design

BOMSync adopts Microsoft Azure’s defense-in-depth architecture — independent security controls at the physical, network, compute, application, and data layers — so no single point of failure can expose your data.

Standards & certifications

The technologies and standards that protect your data

Every badge represents a control active in BOMSync’s production environment today, or a certification actively being pursued. Azure infrastructure certifications are Microsoft’s and apply to the cloud hosting layer. All icons are inline SVG β€” zero external trackers or CDN image requests.

Azure infrastructure

  • Microsoft Azure Cloud platform
  • Defense-in-depth 7-layer protection
  • FIPS 140-3 Level 3 HSM
    FIPS 140-3 L3 HSM-backed keys
  • Azure Key Vault Secrets management
  • Azure SQL TDE Encrypted at rest
  • Azure Blob Storage Secure file storage
  • Point-in-time restore Automated backup
  • Azure DDoS Platform protection

Identity & access management

  • Microsoft Entra ID Managed Identity
  • Azure RBAC Least-privilege access
  • PBKDF2 hashing Passwords protected

Encryption & transport security

  • TLS 1.2+ Encrypted in transit
  • HSTS enforced No HTTP fallback
  • AES 256-bit
    AES-256 Azure storage standard
  • End-to-end Every connection

Electronic signatures & legal compliance

  • eIDAS compliant EU Reg. 910/2014
  • US
    ESIGN Act US federal law
  • UETA compliant All 50 US states
  • UK
    UK ECA 2000 England & Wales
  • SHA 256
    SHA-256 Tamper-evident

Data privacy & industry standards

  • EU
    GDPR ready Data privacy
  • BIM
    ISO 19650 BIM information mgmt
  • PCI DSS Via Stripe
  • MCSB aligned MS cloud benchmark
  • No data selling Zero ad model

Azure infrastructure certifications (Microsoft’s β€” hosting layer)

  • ISO 27001 Azure infra
    ISO 27001 Azure infrastructure
  • SOC 2 Type II Azure infra
    SOC 2 Type II Azure infrastructure
  • CSA STAR
    CSA STAR Azure cloud security

These certifications are held by Microsoft for the Azure infrastructure layer. Under the cloud shared-responsibility model, BOMSync customers inherit infrastructure-level assurance. BOMSync application-level certifications are listed separately below.

BOMSync application certifications — in progress

  • SOC 2 Type II
    SOC 2 Type II In progress
  • ISO 27001
    ISO 27001 In progress
  • eIDAS QES
    eIDAS QES Roadmap
  • DFARS / FAR
    DFARS / FAR Roadmap

All icons are inline SVG β€” no external trackers. Azure infrastructure certifications (ISO 27001, SOC 2, CSA STAR) are held by Microsoft and apply to the hosting layer under the shared-responsibility model, not to BOMSync’s application code. BOMSync application-level SOC 2 and ISO 27001 are being pursued independently. “In progress” and “Roadmap” badges appear at reduced opacity.

Your role

Simple steps to get the most from BOMSync security

1

Use a strong, unique password

A strong password and multi-factor authentication, where available, is the single most effective step you can take to protect your account.

2

Sign on a trusted device and network

Use your own laptop or phone, on a network you control, when signing contracts. Avoid shared or public computers for document signing.

3

Save the document fingerprint

After signing, the cryptographic fingerprint is displayed next to your agreement. Your legal team can keep a copy as an independent integrity record.

4

Contact us immediately if something looks wrong

If any agreement ever shows content that doesn’t match what you signed, contact BOMSync support right away. We will reconcile it against the cryptographic record.

Standards & roadmap

Where we are today, and where we are going

We are honest about what is live and what is coming. Our architecture is designed to grow with the regulatory requirements of the AEC industry — especially for government housing, infrastructure, and defense projects.

Live today
  • Dedicated encrypted database per organization
  • Defense-in-depth Azure security architecture
  • TLS 1.2+ with HSTS on all systems
  • Azure DDoS protection (auto-enabled)
  • Azure Firewall & network isolation (VNet / NSGs)
  • Microsoft Entra ID & least-privilege RBAC
  • FIPS 140-3 Level 3 hardware-backed secrets
  • AES-256 server-side encryption on all file storage
  • Tamper-evident SHA-256 signed agreements
  • eIDAS / ESIGN / UETA compliant signatures
  • ISO 19650-aligned document taxonomy
  • Defender for Cloud continuous threat monitoring
  • Azure Monitor audit logging & diagnostics
  • Azure Backup with point-in-time restore
  • Human-supervised AI operations
  • Permanent, append-only audit records
  • Hardware-backed secret management (Azure Key Vault)
On our roadmap
  • Qualified Electronic Signatures (eIDAS QES) for EU construction deliverables
  • Advanced signatures with trusted timestamps for US federal workflows
  • Long-term signature validation (PAdES B-LT / B-LTA)
  • Single Sign-On / SAML / OIDC federation for enterprise identity providers
  • SOC 2 Type II and ISO 27001 certifications
  • DFARS / FAR-compliant signature posture for US government contracts

Evaluating BOMSync for enterprise or government?

Our security team can provide a technical architecture document, a completed diligence questionnaire, and a direct conversation with our engineering lead. We welcome independent security review.

Request security review Download PDF
Last reviewed 11 May 2026