Drawings. Financials. Safety incidents. Subcontractor agreements. Pay applications. SwiftCrane sits in the middle of all of it. The bar for security has to match.

Transport & storage

• TLS 1.3 by default for all API and webhook traffic. HSTS preload, no insecure ciphers.
• At-rest encryption on Postgres for documents, drawings, financials, and audit logs.
• BYOK for document storage on Enterprise — bring your own KMS / customer-managed keys.
• FIPS-140-3 validated cryptography on the Enterprise / public-sector build.

Identity & access

• SSO via SAML and OIDC. SCIM provisioning on Growth and above.
• RBAC with project-, company-, and role-based scoping. Default roles: super_admin, admin, PM, PE, super, foreman, sub, owner, viewer.
• API keys are scoped, rotatable, and recorded in the audit log on every issue / revoke.
• Subcontractor portal access is contractually scoped — subs see only the projects they're on.

Auditability

• Every administrative action — config change, schedule edit, RFI status change, change-order approval — is recorded with actor, timestamp, before/after diff.
• Document version history with immutable per-version hashes.
• Hash-chained audit log on Enterprise — tamper-evident, exportable for legal / compliance.

Build & supply chain

• Reproducible builds. SBOM published per release.
• Container images and binaries signed with Cosign.
• Pinned dependencies, automated CVE scans, automated OSS license auditing.
• SLSA Level 3 build provenance on the roadmap.

Hosting

• SwiftCrane Cloud: EU (Frankfurt) and US (Virginia) regions on tier-1 providers. SOC 2 Type II in progress.
• GovCloud (US): FedRAMP authorization in progress.
• Self-hosted: single Go binary. Air-gapped install supported on Enterprise. Same product, same release cadence as cloud.

Responsible disclosure

Found a security issue? Email security@swiftcrane.com. We respond within one business day, triage within three, and credit researchers in the changelog (with permission).

Our security.txt has the latest contacts and PGP key.