Security & Privacy
SiteHut is built for construction teams handling commercially sensitive jobs. Security combines technical controls, role-based access, and clear policies on sitehut.app.
Technical measures
- Encryption in transit — application traffic uses HTTPS (TLS).
- Authentication — password login with session tokens; optional API keys for integrations.
- Backups — production data is backed up on a scheduled basis (operational detail may vary by environment).
- Separation — workspace data is scoped by workspace identity on API requests (
X-Workspace-Id/ slug headers).
Access control
- Workspace roles — Owner, Admin, Editor, Viewer, plus custom RBAC roles. See Roles & permissions.
- Job team — narrower roles on a single project (viewer, editor, client contact, and others).
- Permissions — module-level scopes (quotes, expenses, integrations, and so on) gate menus and API access.
Your responsibilities
- Use strong passwords and sign out on shared tablets on site.
- Review active sessions in Account settings.
- Rotate API keys if a secret is exposed—see Integrations.
- Report suspected vulnerabilities via sitehut.app/security-disclosure.
Privacy and legal
- Full policy: Privacy policy (also linked from Legal).
- Subprocessors and DPA: published on sitehut.app where applicable.