Enterprise-Grade Security for Your Financial Data
Your construction financial data deserves the highest level of protection. Project Metrics Hub implements defense-in-depth security across every layer of the platform.
Security at Every Layer
From password storage to data encryption to access control, every component of Project Metrics Hub is designed with security as a first-class requirement.
Bcrypt Password Hashing
All passwords are hashed using bcrypt, the industry-standard adaptive hashing algorithm. Legacy SHA-256 hashes are automatically upgraded on login.
Two-Factor Authentication
Full TOTP-based 2FA using authenticator apps like Google Authenticator or Authy. TOTP secrets are encrypted with Fernet before storage.
Role-Based Access Control
Granular RBAC with Admin, Manager, and custom roles. Assign specific permissions to control exactly who can access and modify data.
Fernet Encryption at Rest
Sensitive data like 2FA secrets are encrypted at rest using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256) before database storage.
Comprehensive Audit Logging
Every security-relevant action is logged with timestamps and severity levels — logins, password changes, role modifications, and permission updates.
Session Management
UUID-based session tokens with configurable expiry dates, IP address tracking, and automatic session invalidation for enhanced account security.
HTTPS / TLS Encryption
All data is encrypted in transit via HTTPS/TLS. Every API call, every page load, and every data sync is protected with modern transport layer security.
Input Validation
Server-side validation on all API endpoints prevents injection attacks, malformed data, and unauthorized parameter manipulation.
Industry-Standard Password Hashing with Bcrypt
Passwords are never stored in plain text. Project Metrics Hub uses bcrypt, the gold standard for password hashing, which applies a computationally expensive one-way hash function that makes brute-force attacks impractical. The system also handles automatic migration from legacy SHA-256 hashes — when a user logs in with an older hash, it's seamlessly upgraded to bcrypt without any user action.
- ✓ Bcrypt adaptive hashing algorithm
- ✓ Automatic legacy hash migration
- ✓ Salted hashes prevent rainbow table attacks
- ✓ Configurable work factor for future-proofing
TOTP-Based 2FA with Encrypted Secret Storage
Add an extra layer of protection to every account with Time-based One-Time Password (TOTP) authentication. Users can enable 2FA using any standards-compliant authenticator app — including Google Authenticator, Authy, and Microsoft Authenticator. TOTP secrets are encrypted with Fernet symmetric encryption before being stored in the database, ensuring they remain protected even in the event of a data breach.
- ✓ TOTP standard (RFC 6238) compliant
- ✓ Works with all major authenticator apps
- ✓ Secrets encrypted with Fernet before storage
- ✓ Users can enable/disable 2FA at any time
- ✓ QR code setup for easy enrollment
Granular Role-Based Access Control (RBAC)
Control exactly who can see and do what within the platform. Project Metrics Hub supports Admin, Manager, and custom roles — each with fine-grained permissions. Administrators can create, edit, and delete roles, assign specific permissions to each role, and manage user assignments. This ensures every team member only accesses the data and actions relevant to their responsibilities.
- ✓ Pre-built Admin and Manager roles
- ✓ Custom role creation with specific permissions
- ✓ Granular permission assignment per role
- ✓ User-to-role mapping
- ✓ Permission changes logged in audit trail
Fernet Symmetric Encryption for Sensitive Data
All sensitive data stored in the database — including 2FA secrets — is encrypted using Python's Fernet symmetric encryption. Fernet uses AES-128-CBC for confidentiality and HMAC-SHA256 for authentication, providing both encryption and tamper-proofing. Data is encrypted before it reaches the database and decrypted only when needed by the application.
- ✓ AES-128-CBC symmetric encryption
- ✓ HMAC-SHA256 message authentication
- ✓ Encrypt-then-MAC construction
- ✓ Secrets encrypted at rest in the database
- ✓ HTTPS/TLS for all data in transit
Comprehensive Security Audit Logging
Every security-relevant action in the platform is recorded in a detailed audit log. From user logins and logouts to password changes, role modifications, and permission updates — nothing goes untracked. Each log entry includes a timestamp, the acting user, the action taken, the target resource, and a severity level, giving administrators full visibility into platform activity.
- ✓ Login and logout tracking
- ✓ Password change logging
- ✓ User management action tracking
- ✓ Role and permission change auditing
- ✓ Severity levels and timestamps on all events
Secure Session Management
User sessions are managed with cryptographically generated UUID-based session tokens. Each session includes an expiry date and IP address tracking, providing protection against session hijacking. Sessions are automatically invalidated upon logout, password changes, or expiration — ensuring that stale or compromised sessions cannot be reused.
- ✓ UUID-based session tokens
- ✓ Configurable session expiry
- ✓ IP address tracking per session
- ✓ Automatic session invalidation
- ✓ Secure cookie handling
Built on Proven Cryptographic Standards
Project Metrics Hub uses widely trusted, battle-tested encryption algorithms and security protocols to protect your data.
AES-128-CBC
Advanced Encryption Standard with 128-bit keys in Cipher Block Chaining mode. Used by Fernet for encrypting sensitive data at rest.
Bcrypt
Adaptive password hashing function based on Blowfish cipher. Automatically adjusts computational cost to stay ahead of hardware advances.
HMAC-SHA256
Hash-based Message Authentication Code using SHA-256. Provides tamper detection and message integrity verification for all encrypted data.
TOTP (RFC 6238)
Time-based One-Time Password standard used for two-factor authentication. Generates secure, time-limited codes via authenticator apps.
TLS 1.2+
Transport Layer Security ensures all data in transit is encrypted. Every connection between your browser and our platform uses modern TLS.
UUID v4 Sessions
Cryptographically random UUID v4 tokens for session identifiers. Provides 122 bits of entropy, making session prediction infeasible.
Security FAQ
Answers to common questions about how we protect your data.
Your data is stored on secure, enterprise-grade cloud infrastructure hosted in the United States. All databases use encrypted storage volumes, and backups are encrypted and stored in geographically separate locations for disaster recovery. We do not store data on local devices or shared hosting environments.
Only users you explicitly authorize through the platform's role-based access control system can view your financial data. Project Metrics Hub engineering staff do not access customer data unless specifically requested by you for support purposes, and all such access is logged. We never share, sell, or provide your data to third parties.
In the unlikely event of a security incident, we follow a structured incident response process. Affected customers are notified within 72 hours of discovering a confirmed breach. Our response includes containment, investigation, remediation, and a post-incident report detailing what occurred, what data was affected, and what steps we've taken to prevent recurrence. Because sensitive data like passwords and 2FA secrets are hashed or encrypted at rest, exposure of raw credentials is prevented even in a breach scenario.
Yes. Administrators can enforce a 2FA requirement across the organization. When enabled, all users must set up TOTP-based two-factor authentication before they can access the platform. Users who have not yet enrolled will be prompted to complete setup on their next login. This ensures every account has an additional layer of protection beyond just a password.
All integrations use encrypted HTTPS connections. Procore and other OAuth-based integrations use the OAuth 2.0 authorization framework, which means your credentials are never shared with us directly. Access tokens are stored encrypted on our servers and are refreshed automatically. For accounting system integrations, connection credentials are encrypted at rest using Fernet encryption and are only decrypted in memory during active data sync operations.
Yes. We conduct regular internal security reviews and code audits. Our infrastructure is monitored continuously for vulnerabilities, and we apply security patches promptly. We also perform periodic penetration testing to identify and address potential weaknesses. Enterprise customers can request a copy of our most recent security assessment summary.