Security at PermitPortal

PermitPortal handles project, parcel, and jurisdiction data that development teams rely on to make decisions. We protect that data with layered administrative, technical, and organizational controls, and we maintain a documented set of security policies covering access control, cryptography, data management, operations, secure development, incident response, business continuity, vendor management, and human resources security.

Data is encrypted in transit using TLS for all connections between your browser, our application, and our infrastructure providers. Data is encrypted at rest using industry-standard AES-256 encryption provided by our managed cloud platforms.

Access to the application requires authentication, and we support single sign-on (SSO) via Google OAuth as well as email and password sign-in. Enterprise SSO over SAML or OIDC is available for qualifying customers. We enforce least-privilege access internally, keep privileged credentials server-side, and review administrative access periodically. Customer data is logically segregated by authenticated user, workspace, and project scope.

The Service runs on established cloud providers, including Supabase, Vercel, and Amazon Web Services. Backend infrastructure and privileged operations are not exposed to the public internet, and application secrets are managed as server-side environment configuration rather than in client code.

We capture security-relevant logs across our providers and application, including authentication events and access to protected resources. We use continuous monitoring of our security posture and configuration, and we track security controls through automated compliance tooling.

We perform dependency and code scanning as part of our development process and commission independent third-party penetration testing of the application. Findings are triaged by severity and remediated on a prioritized basis, with critical and high-severity issues addressed first.

We maintain a documented incident response plan that defines how incidents are detected, triaged, escalated, and resolved, including root cause analysis for significant incidents and breach-notification procedures. The plan is reviewed and exercised periodically. If an incident affects your data, we will notify affected customers in accordance with our agreements and applicable law.

Core application data is hosted on managed services with backup and recovery capabilities, and infrastructure and code changes are version-controlled. We maintain a business continuity and disaster recovery plan with recovery objectives appropriate to the Service.

We evaluate the security and privacy practices of the sub-processors that support the Service and bind them to contractual confidentiality and security obligations. The categories of sub-processors we use are described in our Privacy Policy, and a current list is available to customers on request.

PermitPortal is pursuing SOC 2 and continuously tracks its security controls through automated compliance monitoring. Customers with specific compliance requirements can contact us to discuss current status and available documentation.

We welcome reports from security researchers. If you believe you have found a security vulnerability, please email founders@permitportalapp.com with enough detail to reproduce the issue. Please give us a reasonable opportunity to investigate and remediate before public disclosure, and do not access or modify data that is not yours, degrade the Service, or run automated scans that disrupt availability. We will not pursue legal action against researchers who act in good faith and follow this policy. Our machine-readable contact details are published at /.well-known/security.txt.

For security questions, documentation requests, or to report an issue, contact founders@permitportalapp.com.