Trust

Security

Last updated: May 25, 2026

WIP Ready handles project financial data your finance team uses to satisfy bonding and lender requirements. The information below describes how we protect that data and how to report a security concern.

Authentication

Sign-in is delegated to Procore via OAuth 2.0. We never see your Procore password. Access to a Procore company’s data inside WIP Ready is gated by the user’s Procore permissions; we only request the OAuth scopes the Service actually needs to read project financials and write nothing back beyond what Customer explicitly authorizes.

Encryption

  • In transit. All traffic to and from the Service is encrypted with TLS 1.2 or higher. HTTP is redirected to HTTPS.
  • At rest. The production database and backups are encrypted at rest. Procore OAuth tokens are stored encrypted using application-level encryption with keys held outside the database.

Tenant isolation

Every record is scoped to the Procore company that owns it. All controllers enforce that the authenticated Procore user belongs to that company before reading or writing data. Project-manager submission links are signed, single-use, and expire after the WIP cycle they belong to.

Infrastructure

The Service runs on a small number of reputable cloud providers in regions we publish on request. Production access is restricted to a short list of operators using SSO and hardware-backed multi-factor authentication. Deployments are automated and code-reviewed; production secrets are never committed to source control.

Application security

  • The application is written in Rails 8 with Strong Parameters, CSRF protection, and Content Security Policy enabled.
  • Static analysis (Brakeman) runs on every change.
  • Dependencies are tracked and patched on a regular cadence.
  • Background jobs and webhooks from Procore are authenticated and signature-verified.

Backups & availability

The production database is backed up on a regular schedule with retention sufficient to recover from corruption or accidental deletion. Restores are exercised periodically. The Service has no published SLA at this time; see your order form, if any, for commitments specific to your account.

Logging & monitoring

We collect application and access logs to detect, investigate, and recover from security incidents. Logs are retained for a limited period and access is restricted to operators with a legitimate need.

Reporting a vulnerability

If you believe you have found a security issue in WIP Ready, please report it to support@wipready.com. Please give us reasonable time to investigate and remediate before any public disclosure. We will not pursue legal action against researchers who act in good faith and respect this process.

Contact

For non-urgent security questions and customer due-diligence: support@wipready.com.