Trust & Security

How PM Assist protects your building data

PM Assist is built around per-building data separation and sensible security defaults. This page describes the controls we have in place and our approach to keeping your data safe.

Page last reviewed: March 2026

Security philosophy

We designed PM Assist for multi-building environments where data separation matters. Rather than bolting security on afterwards, per-building isolation and auditability are built into the application architecture. Documents, conversations, and user access are separated per building through application and data-layer controls.

Per-building data separation

Each building's data stays separate. Documents, chat history, and user accounts are isolated at the data layer through application controls designed to prevent cross-building access.

Database queries are scoped to the active building
Documents and chat history are separated per building
User access is restricted to their assigned building
Per-building controls reduce the risk of cross-building data access

Authentication and access control

PM Assist uses credential-based authentication with secure password hashing. Role-based access control is available on Starter plans and above.

Passwords are hashed using bcrypt before storage
Email verification required for new accounts
Role-based access control (admin and member roles)
Session management with secure, httpOnly tokens

Data storage and encryption

Documents and application data are stored with encryption in transit and at rest. File storage uses cloud infrastructure with server-side encryption.

All traffic is encrypted via HTTPS/TLS
Document storage uses server-side encryption (S3)
Database connections use encrypted transport
Sensitive fields (passwords, tokens) are hashed or encrypted

AI and data processing

When you ask a question, PM Assist sends relevant document excerpts to OpenAI's API to generate a response. Only the content needed to answer your query is transmitted.

Only relevant document excerpts are sent to the AI provider — not entire files
AI responses include source citations for verification
Under OpenAI's standard API data usage policy, API inputs and outputs are not used to train their models. We do not currently hold a separate Zero Data Retention agreement
AI-generated content should always be verified against source documents

Auditability and citations

Every AI-generated answer includes source citations referencing the original documents, pages, and sections. This supports verification, compliance workflows, and accountable decision-making.

Source citations on every AI response
Audit logging available on Pro and Enterprise plans
Admin dashboard for user and tenant management
Responses can be exported for compliance records

Operational controls

PM Assist includes server-side security headers and operational controls to protect against common web vulnerabilities.

Content Security Policy (CSP) headers
Clickjacking and MIME sniffing protection
Strict referrer policy
Rate limiting on authentication endpoints

Data retention and deletion

You retain ownership of all uploaded documents. Self-service account deletion and data export are available from your profile page. Automated daily cleanup enforces retention schedules without manual intervention.

Account data retained until you delete your account (self-service or by request)
Documents retained until deleted by you or on account closure
Query logs automatically purged after 90 days
Audit logs follow a tiered schedule: routine-event IPs scrubbed at 14 days, all PII scrubbed at 90 days, full records deleted at 180 days
Expired authentication tokens purged daily; soft-deleted accounts hard-deleted after 30 days
Self-service data export (JSON) available from your profile page

Shared responsibility

Security is a shared responsibility. We secure the application, infrastructure configuration, and data-layer controls we manage. Customers are responsible for user access management, password security, document selection, and internal governance of how the Service is used within their organisation.

Subprocessors

PM Assist uses the following third-party services to deliver the product. Each is bound by their own privacy and security policies.

Service	Purpose
OpenAI	AI-powered document search and response generation
Amazon Web Services (S3)	Document file storage
PostgreSQL (managed)	Application data persistence
Vercel	Application hosting and deployment
Stripe	Payment processing and subscription management
Sentry	Error monitoring and application reliability
Resend / SMTP	Transactional email delivery (verification, notifications, invitations)
Google Analytics 4	Product analytics (consent-gated via Consent Mode v2)
Google Ads	Conversion measurement only (cookieless via Consent Mode v2; no advertising cookies)

This list was last reviewed in March 2026. If you need a formal subprocessor list or data processing agreement, please contact us.

How data flows

// Simplified data flow

User → asks question via PM Assist UI

PM Assist → retrieves relevant document excerpts (scoped to tenant)

PM Assist → sends excerpts + query to OpenAI API

OpenAI → returns generated answer

PM Assist → adds source citations and streams response to user

// Data boundaries

Documents stored in: S3 (encrypted at rest)

Metadata stored in: Database (per-building separation)

AI processing: OpenAI API (excerpts only, not full docs)

Common security questions

Can other buildings or tenants see my data?

Each building's data stays separate. PM Assist uses per-building queries and access controls to keep documents, conversations, and user accounts isolated at the application and data layer.

Are my documents used to train AI models?

Under OpenAI's standard API data usage policy, API inputs and outputs are not used to train their models. Only relevant document excerpts (not full files) are sent to generate responses for your queries.

What happens to my data if I cancel?

You can delete your account at any time from your profile page (self-service, with password confirmation). This immediately removes your personal data, query history, generated documents, and uploaded images. Audit log PII is scrubbed and tombstone records are hard-deleted after 30 days. You can also export your data in JSON format before deleting.

Do you have SOC 2 or ISO 27001 certification?

Not currently. We rely on the certifications held by our infrastructure providers (AWS, Vercel) and implement application-level controls described on this page. If formal certification is required for your procurement process, please contact us to discuss.

Can I get a data processing agreement (DPA)?

Yes. Contact us and we can work with you to provide a DPA suitable for your procurement requirements.

How do I report a security concern?

Please email [email protected] with details. We take all reports seriously and will respond promptly.

For procurement and compliance teams

We understand that adopting a new tool involves procurement review, security questionnaires, and internal sign-off. We are happy to support your evaluation process.

Data Processing Agreement (DPA) — Available on request. Contact us and we will work with you to provide a DPA suitable for your requirements.
Security questionnaire — We can complete your organisation's security questionnaire or provide a pre-filled security overview document.
Technical walkthrough — We can arrange a call to discuss architecture, data flow, and security controls with your technical team.
Trial and evaluation — Start with a free account to evaluate the product before any procurement commitment.

To start any of the above, email [email protected] or get in touch.

Security contact

For security questions, vulnerability reports, or to request a security review or DPA, contact us at [email protected]

Start free Read our privacy policy