SWAPP.AI Trust and Security
Last updated: 2026-05-03
SWAPP.AI helps architecture teams produce BIM documentation.
This page summarizes our security posture for customer security teams, procurement teams, and third-party risk management reviews. Detailed artifacts are available to customers and active prospects on request.
For security review requests, contact security@swapp.ai.
At a Glance
| Area | SWAPP.AI posture |
|---|---|
| Security program | ISO/IEC 27001:2022 certified Information Security Management System |
| Certificate | Certificate No. 1125599, valid through 2027-12-08 |
| Cloud infrastructure | Google Cloud Platform, United States |
| Primary data type | BIM model data, project metadata, and authentication identifiers |
| Data residency | Customer Data processing is geolocated in the United States |
| Native Customer BIM model files | Not transmitted to third-party LLM providers |
| AI training | SWAPP.AI does not use Customer Data to train, fine-tune, or improve general models |
| MFA / SSO | Multi-factor authentication via Descope; SAML and OpenID Connect SSO |
| Security contact | security@swapp.ai |
Compliance
SWAPP.AI’s Information Security Management System is certified to ISO/IEC 27001:2022.
Certificate Number: 1125599.
Certificate validity: through 2027-12-08.
The certification covers BuildOS Ltd. and SWAPP.IO Inc.
A copy of the certificate and supporting security documentation are available to customers and active prospects on request.
Data Handling
As between SWAPP.AI and the Customer, Customer-provided drawings, BIM models, files, and project data remain the Customer’s property. SWAPP.AI retains ownership of its platform, software, algorithms, workflows, templates, and underlying intellectual property. Rights in generated outputs are governed by the applicable customer agreement.
Customer Data is used exclusively to provide the SWAPP.AI services requested by the Customer.
Customer Data primarily consists of BIM model data, project metadata, generated documentation outputs, and user authentication identifiers.
SWAPP.AI does not require server-side installation in the Customer’s environment or direct access to the Customer’s internal network.
Customer Data processing for the SWAPP.AI service is geolocated in the United States. Any additional transfer terms are handled through the applicable customer agreement where required.
Native Customer BIM model files are not transmitted to third-party LLM providers. In limited cases, structured task-specific metadata derived from Customer models may be processed solely to generate requested outputs.
Customer environments and derived data are logically segregated under SWAPP.AI’s ISO/IEC 27001:2022-certified information security management processes. Customer Data is not mixed across customers.
SWAPP.AI generally deletes temporary Customer metadata from production systems within 30 days following termination, unless otherwise required by contract, legal obligations, or backup retention policies. Customer files remain under the Customer’s control in Autodesk Construction Cloud.
Infrastructure and Access
SWAPP.AI runs on Google Cloud Platform in the United States.
Data is encrypted in transit using TLS 1.2 or higher.
Data is encrypted at rest using industry-standard encryption controls.
User authentication is managed through Descope and supports multi-factor authentication, SAML, and OpenID Connect enterprise SSO.
Production access is restricted to authorized personnel and governed through SWAPP.AI’s ISO 27001 information security management processes.
AI and LLM Usage
SWAPP.AI uses enterprise AI APIs for AI-assisted BIM documentation workflows.
Native Customer BIM model files are not transmitted to third-party LLM providers.
Structured task-specific metadata derived from Customer models may be processed only as needed to generate the outputs requested by the Customer.
SWAPP.AI does not use Customer Data to train, fine-tune, or improve general models. SWAPP.AI uses enterprise AI API offerings under terms that restrict provider use of Customer Data for model training.
Provider-side retention, if any, is limited to operational security and abuse monitoring under the applicable enterprise provider terms.
AI outputs are reviewed within the customer’s normal professional workflow. SWAPP.AI does not make automated decisions that produce legal or similarly significant effects on individuals.
Customers remain responsible for reviewing and approving architectural outputs before use in production, permitting, construction, or regulatory submissions.
Subprocessors
The following subprocessors may process Customer Data for the SWAPP.AI service.
| Subprocessor | Purpose | Processing location |
|---|---|---|
| Google LLC — Google Cloud Platform | Cloud infrastructure: compute, storage, networking | United States |
| Descope Inc. | Authentication and identity management | United States |
| Anthropic, PBC | Large language model inference | United States |
| OpenAI, L.L.C. | Large language model inference | United States |
| Google LLC — Vertex AI / Gemini | Large language model inference | United States |
Customers may request notice of material subprocessor changes where required under applicable agreements.
Security Review
SWAPP.AI maintains vulnerability management, patch management, access review, security testing, and incident response processes under its ISO 27001 program.
Customer notification of confirmed security incidents affecting Customer Data is handled under the applicable customer agreement and applicable law.
Customers and active prospects may contact security@swapp.ai for additional security review materials, including certificate copies, independent assessment summaries, detailed subprocessor and AI/LLM disclosures, and standard security questionnaire responses where applicable.
Vulnerability Disclosure
Report suspected security vulnerabilities to security@swapp.ai.
Reports should include the affected system, reproduction steps, potential impact, and supporting evidence.
SWAPP.AI aims to acknowledge valid security reports within five business days.
Privacy
Privacy Policy: https://swapp.ai/privacy-policy/
Data protection requests: security@swapp.ai unless a dedicated privacy contact is listed in the applicable agreement.
This page is provided for informational purposes and does not modify or supersede the applicable agreement between SWAPP.AI and the Customer.