Built for regulated work, and built to keep your data safe
Your dossier is legally load-bearing and has to last for years. Here is exactly how the platform protects it, in plain language, with nothing dressed up.
Hosted on EU infrastructure. Your data stays in the EU and never leaves it.
Security built into every layer
Each of these is live in the platform today, not a promise for later.
Your data in its own vault
Every organisation gets its own separate database schema. Your data is physically separated from every other customer, not just filtered by a query, and a database role without extra privileges enforces it.
Encrypted in transit and at rest
Traffic is protected with TLS, and stored files and data are encrypted at rest on EU infrastructure.
Hardened sign-in
Sessions use short-lived tokens that rotate on every refresh, with automatic detection of stolen tokens. Repeated failed logins lock the account with an increasing wait, and signing out revokes access straight away.
Least-privilege access
The app runs as a restricted database role, file storage is scoped per organisation so no request can reach another customer's files, and row-level security guards the shared tables.
Every action logged
Security-relevant actions are written to an audit trail, and a single request id ties together the logs, the audit record and error monitoring so anything can be traced end to end.
A hardened platform
Strict content-security and transport headers, rate limiting on sensitive endpoints, and a start-up check that refuses to boot with insecure settings keep the platform locked down by default.
In line with EU and Dutch rules
We are a processor of your data, and we treat it that way.
EU data residency
All data is hosted within the EU and never leaves it.
GDPR / AVG
Processing follows the GDPR (AVG). You can access, correct, export or delete personal data, and file a complaint with the Autoriteit Persoonsgegevens.
Verwerkersovereenkomst (DPA)
We sign a data processing agreement with every customer. Read it before you commit to anything.
Wkb retention
Dossier data is kept for the statutory Wkb retention period of ten years after delivery, then returned or deleted.
Breach notification
If a data breach affects your data, we notify you without undue delay and in any event within 72 hours of becoming aware of it, in line with GDPR Article 33.
An honest boundary
BimDossier is not an approved Wkb instrument and does not replace your kwaliteitsborger. It runs your dossier alongside the instrument you already use.
Found a security issue?
We welcome reports from security researchers. Email us and we will respond quickly. Please give us a reasonable chance to fix an issue before disclosing it publicly.
Stop chasing paperwork. Prove the work was done right.
Upload your model, place your first snags, and watch your project come together.
