Security

Your construction drawings contain proprietary design information. Callout is built from the ground up to protect them.

How your data flows
1
You upload a PDF drawing set in your browser.
2
The drawing is sent securely over HTTPS to Callout's servers for processing.
3
Callout forwards the drawing to Anthropic's AI for analysis. Your drawing data is never written to disk.
4
The AI returns structured findings, which are sent back to your browser.
5
Review results are saved to your encrypted database record. The drawing data is discarded. It is not stored anywhere.

Zero Drawing Retention

Your PDF drawing files are never stored on Callout servers.
Drawings are sent to the AI for analysis and discarded immediately after the review completes.
The entire process happens in memory. Nothing is written to disk.
Callout uses Anthropic's commercial API with a zero-retention policy. Anthropic does not store API inputs or outputs and does not use your data for model training.

Encryption

All data in transit is encrypted via TLS 1.2+ (HTTPS enforced on every connection).
All data at rest is encrypted using AES-256 in the database layer.
HSTS is enabled to enforce secure connections.
API keys and secrets are stored as environment variables and never committed to source control.

Infrastructure

Application hosted on a global edge network with automatic DDoS protection.
Database hosted in the United States with encryption at rest.
Database-level access policies enforce data isolation between accounts and organizations.
Rate limiting on all API endpoints to prevent abuse.
Security headers enforced on all responses to prevent clickjacking, MIME sniffing, and content injection.

Access Controls

Role-based access: Owner, Admin, Reviewer, and Viewer roles with enforced permission boundaries.
Passwords are hashed and never stored in plain text. Session tokens are short-lived.
Shared report links use cryptographically random tokens and provide read-only access only.
Organization-level data isolation: members of one org cannot access another org's reviews, standards, or credit pool.
Admin dashboard access is restricted to verified accounts on an internal allowlist.

Audit Trail

All significant actions within an organization are logged: reviews, credit purchases, member changes, role changes, and standards modifications.
Audit log is accessible to org owners and admins with filtering and pagination.
Each entry records the user, action, timestamp, and relevant details.
Audit data is stored in the database and protected by the same encryption and access controls as all other data.

Payments

All payments are processed by Stripe (PCI DSS Level 1 certified).
Callout never sees, stores, or has access to credit card numbers.
Payment events are cryptographically verified and deduplicated.

Application Security

All user-supplied text is sanitized before AI processing.
Input validation on all API endpoints.
CORS restricted to callout.app only.
No third-party analytics, advertising cookies, or tracking pixels.
Dependencies are regularly updated. Production errors are monitored in real time.

Compliance and Policies

Terms of Service and Privacy Policy are published and accessible from every page.
Callout explicitly disclaims that AI output is not engineering advice and must be verified by a licensed PE.
Users retain full ownership of uploaded drawings. Callout's processing license is limited to performing the requested review.
Anthropic's data usage policy confirms zero retention for commercial API usage.
Custom enterprise agreements are available upon request.

Enterprise Readiness

SSO/SAML: Available on Enterprise plans. Contact us for setup.
Data residency: All application data is processed and stored in the United States.
Uptime target: 99.9% availability for the Callout application and API.
We respond to standard security questionnaires (CAIQ, SIG, VSA). Contact hello@callout.app to request.
Dedicated onboarding and custom credit volume available for teams of 5+.

Third-Party Services

Callout integrates with the following services. Each maintains its own security certifications and compliance programs.

Anthropic
AI analysis
Zero-retention commercial API
Security docs →
Stripe
Payment processing
PCI DSS Level 1
Security docs →

Hosting, database, monitoring, and other infrastructure services are provided by SOC 2 Type II certified vendors. A complete subprocessor list is available upon request for enterprise procurement.

Enterprise inquiries and security questions

Need SSO setup, a security questionnaire response, a custom agreement, or team onboarding? Contact us directly.

hello@callout.app

For security vulnerability reports, use the same address with "Security" in the subject line.