Trust

Security at RoofGenius

Last updated: April 2026

RoofGenius is built for contractors who handle sensitive claim, policy, and homeowner data every day. Security isn't a checkbox for us — it's how the platform is engineered, operated, and audited.

Compliance & certifications

  • SOC 2 Type II — independently audited controls covering security, availability, and confidentiality.
  • GDPR & CCPA aligned — data subject rights, deletion on request, regional processing controls.
  • PCI-DSS — all payments are processed by Stripe; we never store raw card numbers.

Data encryption

  • In transit: TLS 1.2+ on every connection. HSTS enforced on all public endpoints.
  • At rest: AES-256 encryption on databases, object storage, and backups.
  • Document storage: uploaded estimates, measurements, and policies are stored in isolated, encrypted buckets with per-tenant access scoping.

Access controls

  • Role-based access control (RBAC) with least-privilege defaults.
  • Mandatory SSO and MFA for all employee access to production systems.
  • Production access is logged, time-bound, and reviewed quarterly.

Infrastructure

  • Hosted on enterprise-grade cloud infrastructure with isolated VPCs and private networking.
  • Automated backups with point-in-time recovery and tested restore procedures.
  • DDoS protection and edge WAF on every public endpoint.
  • 99.9% target uptime with multi-region failover for core services.

Application security

  • Continuous static analysis (SAST) and dependency scanning on every commit.
  • Annual third-party penetration tests; results available to enterprise customers under NDA.
  • Bug bounty channel — responsible disclosures honored and rewarded.

AI & data handling

Documents you upload are processed only to generate your audit reports, supplement letters, and estimates. We do not train foundation models on customer data. Sub-processors used for AI inference are bound by data processing agreements and zero-retention policies where available.

Incident response

  • 24/7 on-call rotation for security incidents.
  • Documented incident response playbook with defined severity levels.
  • Customer notification within the timelines required by applicable law (typically 72 hours for material incidents).

Reporting a vulnerability

Found something? We want to hear from you. Email support@roofgeniusai.com with "Security" in the subject line. Please include reproduction steps and any relevant evidence. We'll acknowledge within one business day.

Contact

Need a SOC 2 report, DPA, or security questionnaire? support@roofgeniusai.com · (732) 484-4848 ext. 101