Security & Compliance
Built for teams who need their compliance data to be airtight.
ProveSite is built for construction teams whose customers include government bodies, public infrastructure owners, and insurers. Security and data residency are not optional.
Canadian data residency
All data hosted in ca-central-1. Never leaves Canada.
Immutable audit records
Records cannot be edited or deleted after creation.
Designed with PIPEDA/CPPA principles in mind
Built to meet Canadian privacy law requirements.
Data residency
Hosted in Canada. Always.
All ProveSite data is hosted on Supabase in ca-central-1 (Canada Central). This is non-negotiable — required by the government and infrastructure project customers we serve.
Your data never leaves Canada. Worker records, certification photos, site plans, induction videos, audit logs, and all incident reports are stored exclusively on Canadian infrastructure.
ca-central-1
Canada Central region
Audit Log
Certification approved
J. Torres (GC Admin)
WHMIS 2015 — M. Chen
09:14 AM
Worker checked in
System (QR scan)
Riverside Tower — COMPLIANT
07:52 AM
Entry denied
S. Park (Site Manager)
First Aid cert expired
07:41 AM
Induction completed
R. Patel (Worker)
Riverside Tower v3 — 90%
07:38 AM
Certification rejected
J. Torres (GC Admin)
Fall Arrest — image unreadable
Yesterday
🔒 Immutable — records cannot be edited or deleted
Audit trail
An immutable record of every decision.
Records cannot be edited, deleted, or altered. Every cert approval, check-in, and entry decision is permanently recorded with a timestamp, actor identity, and before/after snapshot.
When a WSIB auditor asks who was on site on a specific date and what certifications they held at the time — the answer is already there, signed and locked.
Authentication security
No passwords to steal. Sessions you can revoke.
Every login method is designed to eliminate the most common attack vectors.
6-digit email OTP for admins
No password to steal or phish. Admins log in with a time-limited code sent to their email.
2FA (TOTP) for dashboard users
Optional TOTP for GC Admins, Site Managers, and Subcontractor Admins using any authenticator app.
PIN login for workers
bcrypt-hashed 4–6 digit PIN. Workers get 90-day sessions to minimise SMS volume on job sites.
JWT token versioning
Instant session revocation. Increment a version counter to invalidate all active sessions for any user.
Complete tenant isolation
No cross-organisation data access. Separate JWT types for admin staff and customers — each rejects the other.
Service role proxying
Workers never get direct storage access. Cert and worker photo uploads go through the API using a service role key.
Access control
Four customer roles. Three internal roles. No overlap.
Every API route is role-gated. Subcontractors only see their own workers. Workers only see their own records. Admins are completely isolated from customer data.
Customer roles:
GC Admin
Full platform access — all sites, all workers, billing
Site Manager
Assigned sites only — dashboard, certs, inductions
Subcontractor Admin
Own workers only — compliance, certs, sites they're assigned to
Worker
Own profile, certs, and check-in history only
Encryption & infrastructure:
TLS in transit
All traffic encrypted end-to-end
Encrypted at rest
Supabase Postgres + Storage at rest encryption
Separate storage buckets
Cert photos, worker photos, induction videos, site plans — isolated per type
No direct storage access for workers
All uploads proxied through API with service role key
Admin portal isolation
Separate JWT, separate routes, separate auth flow — no cross-contamination with customer data
Completing a security questionnaire?
Email us at security@provesite.com — we'll respond within one business day.
Questions about security or compliance?
Our team can walk you through the technical controls and data handling in detail.