Security — Capital Project AI

Data handling

You retain ownership of every schedule, project, and analysis you upload. We process this data only to deliver the service to you — we do not sell it, share it with third parties for marketing, or use it to train external AI models.

Customer data is logically isolated by user account. Engine analyses, uploaded files, and saved projects are linked to your authenticated user ID and not visible to other tenants.

You can request export or deletion of your data at any time by emailing founder@capitalproject.ai. We honor verified deletion requests within 30 days.

Encryption

In transit: All traffic to capitalproject.ai and our API uses TLS 1.2 or higher. HSTS is enabled with a two-year max-age and includeSubDomains.
At rest: The production PostgreSQL database is encrypted at rest by our hosting provider. Backups are stored in encrypted object storage.
Secrets: API keys, database credentials, and bootstrap tokens are stored as platform-managed environment variables, never in source code.

Authentication & access

Passwords are hashed with PBKDF2-SHA256 (server-side); plaintext passwords are never stored or logged.
Sessions use HttpOnly, SameSite cookies; tokens never touch localStorage.
Founder and admin endpoints require an authenticated session and a founder-tier license. Bootstrap endpoints fail closed when the bootstrap secret is not configured.
Internal access to production data is limited to the founding team and is logged.

Infrastructure

Capital Project AI runs on managed cloud infrastructure (Railway for the Python API and PostgreSQL; Vercel for the static landing page). The application enforces standard security headers on every response, including:

Strict-Transport-Security (HSTS, 2-year max-age)
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy denying camera, microphone, and geolocation
A scoped Content-Security-Policy

Cross-origin resource sharing is restricted to an explicit allowlist of our own domains.

Availability & backup

The production database is backed up via a privileged ZIP backup endpoint that requires either founder authentication or a separately managed X-Backup-Key header. Backups can be retrieved on demand and are intended to support disaster recovery.

We do not yet publish a status page; if you need uptime details for procurement, please email us.

Incident response

If we discover an incident that affects your data, we will notify the affected account owner by email within 72 hours of confirming the impact. Our response process covers detection, containment, eradication, recovery, and post-incident review.

Compliance roadmap

Capital Project AI is an early-stage company. We are building toward SOC 2 Type 1 readiness in 2026 and Type 2 in 2027. We can share our security questionnaire responses on request and will sign mutual NDAs for evaluation.

Responsible disclosure

Found a security issue? Please email founder@capitalproject.ai with details and reproduction steps. We will acknowledge receipt within two business days and work with you in good faith. Please give us a reasonable window to remediate before any public disclosure.

Security at Capital Project AI

On this page