Trust & security
Construction-loan data is sensitive — homeowner contracts, subcontractor records, certificates of insurance, bank draw bundles. Here's how we think about looking after it. If your bank, insurer, or vendor-security review needs more detail than this page offers, email us and we'll respond with a more complete write-up.
Construction is a relationship business. Your builds, your subs, your homeowners — none of that should ever leak across to another builder's workspace. These principles guide everything we do.
Every builder gets their own workspace. Your projects, your subs, your homeowners, your contracts — never visible to other workspaces, no exceptions. The system enforces this on every page load, every download, every API call.
All traffic is encrypted on the wire. All data sits on encrypted disks. Backups are encrypted before they leave the primary server.
W-9s, certificates of insurance, and signed contracts are never served from public URLs. Every download re-verifies that the requester belongs to the workspace they're asking about.
Your data is backed up daily to a separate location, so a single-server failure doesn't lose your build history. Backups are encrypted and retained on a rolling window.
No employees, contractors, or AI systems have standing access to your data. When 321Draw support helps with a ticket, the access is scoped, logged, and time-limited.
When you opt into an AI feature — for example, turning a pasted contract into a reusable template, or reading line items off an uploaded invoice — the content you submit is processed by an enterprise AI sub-processor under terms that prohibit training on your data. Ask for the named sub-processor list.
Every contract signature, lien waiver, and draw approval captures who signed, when, and from what device — so the trail holds up if a bank or insurer ever asks.
We try to collect as little as we need to make the product work, and we're careful about the things we deliberately don't touch.
Your company info, your team's logins, your homeowners' names and email addresses, project budgets, invoices, contracts, change orders, photos, draw bundles, and any documents you choose to upload for your subs. This is the working content of your construction business and it stays in your workspace.
Cancel any time. Your records stay readable while your account is active, plus a short grace window after cancellation. Need to leave and take everything? You can download every draw bundle, signed contract, and uploaded invoice from inside the app, or email us for a full ZIP export at no charge.
Security incidents at small companies are rare but not impossible. Here's the commitment.
If we discover an event that affects your workspace's data, you'll hear from us at the email address on file within 72 hours of confirmation. The notice will tell you what happened, what was involved, what we've done about it, and what (if anything) we'd like you to do. We will not bury the lead and we will not blame you for asking questions.
Primary application data and operations are in the United States. If your deal needs specific data-residency commitments in writing, talk to us.
Whether you found a bug worth fixing or your bank handed you a questionnaire that's due tomorrow — we want to hear from you.
If you've found a vulnerability in 321Draw, please email [email protected] with a reproduction path. We'll acknowledge within one business day, fix it promptly, and credit you publicly if you'd like.
Please don't run automated scanners against production tenants — let us know what you'd like to test and we'll spin up an isolated environment for you.
Need more detail than this page covers — a subprocessor list, a control-by-control walkthrough, or a filled-in questionnaire? Email [email protected] with what your reviewer needs and a target turnaround date. We respond to every legitimate compliance request.
