Security designed for finance teams. Honest about the gaps.
Procore2Acumatica handles real Procore + Acumatica financial data. Below is exactly how we authenticate, store, isolate, and audit that data — and what we don't have in place yet.
OAuth-based access
No service accounts and no shared API keys. Tokens are scoped to the Procore and Acumatica accounts you authorize, and revoking them in either system instantly cuts our access.
Token storage
Refresh tokens are stored in a per-org row in our managed Postgres database, encrypted at rest, rotated automatically, and never written to logs. If a refresh fails, /connections surfaces a one-click Reconnect.
Tenant isolation
Per-tenant connection records and connection-scoped entity links are protected by Postgres row-level security policies on every operational table. One tenant cannot read another tenant's data, even with a leaked session token.
Audit logs
Every sync produces a structured audit record capturing entity, direction, idempotency key, and any error detail. Operators see the full history in /activity; replays are keyed on idempotency so retries never double-write.
AI mapping trace
Every LLM-drafted mapping rule records its AI confidence score, creation timestamp, and the operator who approved it. Conversation traces stay inside the MIX2MAX, LLC operations boundary and are never shared across tenants.
Data retention
Chat history is browser-local — we don't persist your AI conversations server-side. Sync jobs and entity links are retained for the duration of your subscription plus 30 days after cancellation, then hard-deleted on a scheduled job.
Payments offloaded
Card data, invoices, and tax handling are processed by an external PCI-compliant payment platform. We never see, touch, or store raw card data — PCI scope stays with the payment processor.
Webhook signing
Inbound webhooks from Procore and Acumatica are cryptographically verified before our API processes them — HMAC for one provider, per-tenant signed tokens for the other, Svix-compatible signatures for billing events.
What we don't have yet
We're not SOC 2 certified yet.
We're a young commercial product. SOC 2 Type 1 is on the 12-month roadmap; Type 2 follows after the observation window. We're happy to walk prospective Enterprise customers through our security roadmap, sub-processor list, and DPA terms — and to scope contractual security commitments around current controls.
Sub-processor list: the full sub-processor registry — covering managed Postgres, compute, authentication, payments, webhook ingress, queueing, LLM, observability, and transactional email — is shared under NDA with prospective customers as part of the security review process.
See also our Privacy Policy and Terms of Service.