Enterprise Privacy & Security
At ScrubPlan, we recognize that AI has the potential to improve productivity, quality, and accuracy in the construction industry. We are committed to adopting and using AI technologies responsibly and in alignment with our dedication to high quality results
Customer Data
We do not use customer data for training or improving the ScrubPlan models. The models have been developed from publicly available knowledge on the internet and information our researchers have generated. By default, we do not train on any inputs or outputs from customer accounts.
For publicly available internet content, only information that is openly accessible is used to create and refine our models. Filters to remove material we do not want to be included are then applied.
ScrubPlan’s material database is developed from information our researchers have developed or generated. This model is refined through ScrubPlan’s research and development teams and trusted 3rd party partnerships.
Accountability and Continuous Improvement
We maintain clear roles and responsibilities for the oversight and governance of AI systems including human oversight and intervention where necessary
Recognizing accuracy is an ongoing process, we adopt an iterative approach to deployment. New models begin with smaller scale releases, feedback collection, and continuous improvement before expanding to a wider audience.
Security
Data encryption at rest and in transit between our customers and us, and between us and our service providers
For eligible customers, we offer data residency to help your organization meet regional compliance needs.
We integrate explicit policies into model training to ensure the AI behavior aligns with construction standards and pricing practices.
AI will augment but not replace human expertise in construction. Project managers, supervisors, and estimators will oversee AI outputs, verify results, and maintain final authority over project decisions.
Our access to customer data stored within our systems is limited to authorized employees that require access for engineering support, platform abuse and legal compliance.
Access Control and Authorization
Access granting process used
Implement a formal access granting process that ensures new access privileges are assigned based on the principle of least privilege, and require at least one employee to endorse the granting of new access.
Access management policy established
Systematic controls are established in the access management policy for managing user access rights, ensuring appropriate, authorized access to systems and data.
Employee access regularly reviewed
Employee access is reviewed at least annually to ensure that access privileges are appropriate and that former employees or users do not retain unauthorized access.
Password management policy enforced
Strictly enforce the organization’s password management policy to guarantee compliance with security standards. Enforcing this policy includes implementing technical controls, monitoring adherence, and responding to non-compliance.
Password management policy established
Enforce a password management policy that mandates strong and complex passwords, and prohibits the reuse of previously used passwords. This policy helps protect user accounts from unauthorized access due to weak or compromised passwords.
Data Management and Protection
Data encrypted at rest
All sensitive data is encrypted when stored on systems or devices.
Data encrypted in-transit
All data is encrypted when transmitted over networks, both within the organization's internal network and external connections.
Data inventory maintained
Establish and maintain an accurate, detailed, and up-to-date inventory of all data assets. This can include data stored in databases, file shares, and cloud storage.
Data management and retention policy established
A data management and retention policy is established, outlining guidelines for how long data should be retained and how it should be managed throughout its lifecycle.
Disaster Recovery
Automated backups enabled
Automated backups are enabled for all high-risk data and critical systems.
Data recovery process established
Establish a data recovery process that defines procedures for recovering data in case of data loss, corruption, or system failures. A robust data recovery process helps minimize downtime and data loss in critical situations.
Business continuity and disaster recovery policy established
A comprehensive business continuity and disaster recovery policy is established, outlining the organization's strategies for responding to disruptive incidents and supporting business continuity.
Disaster recovery plans tested
Regularly test the organization's disaster recovery plans to ensure their effectiveness and identify areas for improvement. Testing helps validate the ability to recover critical systems and operations in the event of a disaster.
Recovery data isolated
Isolate the recovery data from the production environment to prevent accidental overwriting or corruption of backups. Keeping recovery data separate helps maintain the integrity and availability of backup copies.
Email Security
DMARC policy and verification used
DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy and verification mechanisms are implemented to prevent email spoofing and phishing attacks.
Email account access restricted
Access to email accounts is restricted to administrators only, and isn't delegated to other non-admin users within the organization.
Email settings block malicious content
Email settings are configured to block malicious content, including malicious attachments, links, and scripts.
Infrastructure Security
Active discovery tools used
An active discovery tool is used to identify assets connected to the enterprise's network, configured to execute daily or more frequently.
Automated security scanning performed on infrastructure
Automated security scanning software is deployed on all infrastructure components including servers and network devices.
Buckets not exposed publicly
Cloud storage buckets are not exposed to the public internet unless a documented business justification is in place.
Configuration management system established
Implement a configuration management system to manage and control the configuration of systems, applications, and infrastructure. Configuration management helps maintain consistency and security across the IT environment.
Firewall restricts public access to infrastructure
Firewalls are configured to restrict public access to the organization's infrastructure components.
Infrastructure changes logged
Maintain a log of all infrastructure changes to track and document modifications made to critical systems and services. Logging infrastructure changes aids in audit trails, incident investigations, and accountability.
Infrastructure changes require review
Implement a review process for all proposed infrastructure changes before implementation. Reviews ensure that changes comply with security policies, do not introduce vulnerabilities, and align with the organization's requirements.
Infrastructure deployed using an infrastructure-as-code tool
Adopt an infrastructure-as-code (IaC) approach to deploy and manage the organization's infrastructure components. IaC tools enable consistent and version-controlled infrastructure deployment, reducing the risk of configuration errors.
Unauthorized assets addressed and removed
Ensure that a process exists to address unauthorized assets on a periodic basis. This process should include regular audits of all assets and a procedure for handling unauthorized assets when they are discovered.
Unique production database authentication enforced
Enforce unique authentication mechanisms for accessing production databases, such as a unique username and password or SSH key.
Monitoring and Incident Response
Adequate audit log storage maintained
Ensure sufficient storage capacity to retain audit logs for the required duration. Adequate audit log storage enables historical analysis and supports compliance requirements related to log retention.
Audit log management process maintained
Maintain a robust and up-to-date audit log management process. This process should include guidelines for capturing, storing, and monitoring audit logs, ensuring the availability and integrity of essential security event data.
Audit logs collected
Enable the collection of audit logs from critical systems and applications. Audit logs capture essential security events and activities, providing valuable information for incident detection, investigation, and compliance purposes.
Incident response policy established
An incident response policy is established that outlines the organization's approach and procedures for detecting, responding to, and recovering from cybersecurity incidents.
Incident review process implemented
Establish a structured process for conducting incident reviews following any security or operational incident affecting critical systems. This process is essential for understanding root causes, assessing the impact, and identifying improvement actions to prevent similar incidents in the future.
Infrastructure performance monitored
The performance of the organization's infrastructure components is monitored to detect potential issues or anomalies that may impact security or reliability.
Log management used
Implement a centralized log management solution to collect, store, and analyze logs from various systems and applications. Centralized log management simplifies log review, correlation, and monitoring for potential security incidents.
Network infrastructure monitored
Implement monitoring mechanisms for the network infrastructure to detect and respond to suspicious or unauthorized activities. Network monitoring helps ensure the integrity and availability of network resources.
Organizational Security
Acceptable use policy established
Establish and maintain an acceptable use policy that outlines permissible activities, systems, and data access for all users, contractors, and third parties interacting with the organization's information assets and technologies.
Asset inventory maintained
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data. This can include end-user devices, network devices, IoT devices, and servers.
Asset management policy established
Establish an asset management policy that outlines the guidelines for managing the organization's assets throughout their lifecycle.
Code of conduct established
A code of conduct is established that outlines the expected behavior and ethical standards for all employees.
Company security commitments externally communicated
Key company security commitments and policies are externally communicated, including the Master Service Agreement (MSA), Security Information page, or Terms of Service.
Confidentiality Agreement acknowledged by employees
All employees have acknowledged and signed a confidentiality agreement. This agreement reinforces the commitment to safeguarding sensitive information and trade secrets.
External support resources available
Provide external support resources, such as documentation, user guides, and knowledge bases, to assist users in utilizing the organization's services effectively. Accessible support resources promote self-service and reduce support requests.
Offboarding process established
An offboarding process is established for departing employees to ensure that they are removed from relevant systems and accounts.
Physical access restricted
Physical access to the organization's facilities, equipment, and systems is restricted to authorized personnel only.
Roles and responsibilities specified
Clearly define roles and responsibilities for all employees within the organization. Specifying roles helps establish accountability and ensures that employees understand their duties and expectations.
Software development lifecycle established
A well-defined and documented development lifecycle is implemented for software and applications.
System changes communicated
Ensure that system changes, updates, and maintenance activities are communicated to relevant teams and stakeholders. Internal communication helps coordinate efforts and minimize potential disruptions.
Risk Management
Cybersecurity insurance maintained
Maintain cybersecurity insurance coverage to mitigate financial risks associated with cyber incidents, data breaches, and other security-related events. Cybersecurity insurance can provide financial protection and support recovery efforts.
Risk management policy established
A risk management policy is established that outlines the organization's approach to identifying, assessing, and mitigating information security risks.
Vendor inventory maintained
An accurate and up-to-date inventory of all vendors is maintained, including details such as the services provided, contract terms, and the scope of access they have.
Vendor management program established
A vendor management policy is established to assess, monitor, and manage the risks associated with third-party vendors, ensuring that external partners meet security and compliance standards.
Vulnerability Management
Automated software patch management performed
Automate the process of deploying software patches and updates to systems and applications. Automated patch management helps ensure that critical security patches are applied promptly to address known vulnerabilities.
Vulnerabilities scanned
Regular vulnerability scans are conducted on systems and applications to identify potential security flaws. This includes automated scanning tools that systematically examine infrastructure, applications, and code repositories for known vulnerabilities.
Vulnerability management policy established
A vulnerability management policy is established that outlines the procedures for identifying, assessing, and remediating vulnerabilities in the organization's systems and applications.