“Secure” estimating software provides independent SOC 2 Type 2 assurance, encrypted backups, redundant data centers, and transparent uptime reporting. Look for SSO, role‑based access, audit logs, and tested incident response. Use the definitions and evaluation rubric below to compare vendors objectively and reduce risk—without slowing your preconstruction team.
Non‑Negotiables
- SOC 2 Type 2 report (current period).
- Encrypted backups and redundant data centers.
- Public status/uptime with incident history.
- SSO, RBAC, audit logs.
Security Features & Definitions
Feature | Why it matters | What “good” looks like | Evidence to request |
|---|---|---|---|
SOC 2 Type 2 | Third‑party assurance over controls | Auditor name + period | Current report, full scope |
Encryption & Backups | Protect data at rest/in transit | Documented key mgmt & rotation | Policy + architecture |
Redundancy & DR | Availability during failures | Geo‑redundant DCs, tested DR plans | DR test summary |
SSO & RBAC | Control access at scale | SSO options; fine‑grained roles | Admin screenshots |
Audit Logs | Forensics & compliance | Immutable logs; exportable | Log samples |
Uptime Transparency | Trust & accountability | Public status site and history | URL + SLA |
Evaluation Rubric (Weighting)
Compliance (30%), Data Protection (25%), Availability (20%), Identity & Access (15%), Observability (10%). Score each vendor 1–5 per category; require remediation plans for any <4.
RFP Questions
- Provide latest SOC 2 Type 2 report and scope.
- Describe backup cadence, retention, and encryption methods.
- Detail DC redundancy and RTO/RPO targets.
- Explain SSO options, roles, and audit log retention.
Why STACK?
STACK is committed to delivering a system with industry-leading security, availability, and reliability. Our infrastructure and operational best practices safeguard your data.
STACK is here to help you build. Come see what we can do for your business today!
