Company Information
Headquarters
Yakima, Washington, USA
Industry Experience
40+ Years Construction
Ground Up AI is a US-based company founded and operated by Robert Neeper, a 40-year construction industry veteran with over 19 years as a Senior Superintendent on projects including data centers, hospitals, airports, federal highways, and underground infrastructure across the Central and Western United States.
Infrastructure & Hosting
Primary Cloud
Amazon Web Services (AWS)
Server Location
United States
Secondary Infrastructure
Secondary VPS — Separate Provider
SSL/TLS
Let's Encrypt — All Endpoints
Data Residency
United States Only
All Ground Up AI infrastructure is physically located in the United States. The primary production environment runs on Amazon Web Services. A secondary VPS server at a separate provider maintains a current copy of all configuration, assets, and data — in the event of an AWS disruption, operations can be restored via manual failover with DNS cutover to the secondary. All data processing, storage, and compute occur on US soil.
Dual-provider infrastructure — AWS primary with secondary VPS failover. Recovery is manual DNS cutover; not automatic.
Network Security
Firewall
Default Deny — Inbound
Public Ports
22 (SSH) · 80 (HTTP→HTTPS) · 443 (HTTPS / Voice WSS)
Backend Services
Loopback Only — Not Internet-Facing
Intrusion Prevention
fail2ban — 4 Active Jails
All application backend services are bound exclusively to the server loopback interface — they are not reachable from the internet under any circumstance. The only public-facing layer is nginx, which proxies requests to internal services after enforcing authentication at the reverse-proxy level. All unrecognized inbound traffic is dropped by default.
fail2ban monitors SSH, HTTP authentication, and bot scanning in real time, automatically banning IPs after failed attempts. Active bans are maintained against confirmed brute-force attempt sources.
Encryption in Transit
Protocols
TLS 1.2 and TLS 1.3 Only
Deprecated Protocols
SSLv3 / TLS 1.0 / TLS 1.1 — Disabled
Certificate Authority
Let's Encrypt (ECDSA)
Coverage
All Subdomains — Single Certificate
Key Exchange
Forward Secrecy — ECDHE / DHE Only
Cert Renewal
Automatic — Monitored Daily
All endpoints — groundupai.io, academy.groundupai.io, and dashboard.groundupai.io — are served exclusively over TLS. The cipher suite is restricted to forward-secret, authenticated encryption only: AES-128-GCM, AES-256-GCM, and ChaCha20-Poly1305. No RC4, no 3DES, no legacy CBC-mode ciphers are permitted. Custom Diffie-Hellman parameters are in use.
Authentication & Access Control
Password Hashing
PBKDF2-SHA256 — 600,000 Iterations
Session Tokens
HttpOnly Cookies — Server-Side Validation
Credential Storage
Hashed — Mode 600 — Server-Side Only
Route Enforcement
nginx auth_request — All Protected Routes
All passwords are hashed using PBKDF2 with SHA-256 at 600,000 iterations before storage — at the OWASP-recommended level. No plaintext credentials are stored anywhere in the system. Session authentication is enforced at the nginx reverse-proxy layer before any application code executes. No API keys, tokens, or passwords are present in any client-side code or public-facing file.
Data Handling & Privacy
What data we process
- Client contact information (name, email, phone, company)
- Job site information (location, project type, project name)
- Daily field notes and observations submitted by field staff
- Email summaries and calendar data (when email/calendar integration is enabled)
- Project management tool data (when Procore or similar integrations are enabled)
- Voice transcripts from field interactions (processed in real time, not retained)
What we do not do
- We do not sell client data to third parties
- We do not use client field data to train AI models
- We do not retain voice audio after processing — transcripts are discarded after response generation
- We do not retain email content — only summaries are processed and discarded
Data storage
All client data is stored in a server-side database with strict client-level isolation enforced in all queries. The database file is access-restricted to application processes only (mode 600). No cross-client data sharing occurs under any circumstances. Data is retained for the duration of the service agreement and deleted upon request or contract termination.
Backup & Recovery
Local Retention
7 Days Rolling
Offsite Backup
Secondary Server — Separate Provider
Secret Encryption
AES-256-CBC Before Storage
Daily backups cover all web assets, application code, database, server configuration, and credentials. Sensitive secrets and credentials are encrypted with AES-256-CBC using PBKDF2 key derivation before being written to any backup — they are never stored in plaintext. Backups are replicated offsite to a secondary server at a separate hosting provider via authenticated SSH, ensuring recovery capability independent of the primary infrastructure.
Monitoring & Patch Management
Security Patches
Auto-Applied Daily
Rootkit Scans
rkhunter — Weekly
Security Digest
Daily Email — 6:05 AM UTC
SSL Monitoring
Daily Expiry Check
Log Review
logwatch — Daily
Service Watchdog
Systemd + Auto-Restart — All Services
Unattended-upgrades automatically applies OS security patches daily without requiring manual intervention. A weekly rootkit scan (rkhunter) checks for known rootkits, suspicious binaries, and system file modifications. A security digest is delivered every morning covering login attempts, banned IPs, service status, and certificate health. All production services are configured with automatic restart — if any service crashes, it recovers within seconds without manual intervention.
AI Processing & Voice Pipeline
AI Reasoning
Anthropic Claude — San Francisco, CA
Speech-to-Text
Deepgram Flux — US-Based
Text-to-Speech
ElevenLabs Flash v2.5 — US-Based
AI Training Use
Client Data NOT Used for Training
Audio Retention
Not Retained — Processed in Real Time
Data Persistence
No Persistent Storage at Third Parties
Charlie's voice pipeline is a three-hop real-time process: field audio is transcribed by Deepgram (Flux), the transcript is reasoned on by Anthropic Claude, and the response is spoken back via ElevenLabs (Flash v2.5). All three providers are US-based and operate under API terms that prohibit using customer data for model training. No audio is stored. No transcript is retained after the response is generated. All API keys are server-side only — never in client-facing code.
Platform Integrations & Third-Party Data Processors
Communication & Email
- Microsoft 365 / Microsoft Graph API — Charlie reads email summaries and calendar data from client Microsoft 365 accounts via OAuth 2.0. Email content is summarized and discarded — full email bodies are not stored. Calendar events are read for scheduling context only.
- Office 365 SMTP (smtp.office365.com) — Used for outbound delivery of daily briefings, reports, and client notifications. Credentials are stored server-side only.
- Twilio — Used to send SMS crew notifications on behalf of superintendents (crew blasts, safety alerts). Recipient phone numbers are stored in the client profile. Message content is logged for the client's record only.
Project Management
- Procore API — For clients using Procore, Charlie reads project data (schedules, submittals, RFIs, daily logs) via OAuth. Data is read-only unless the client explicitly enables write-back. No Procore data is shared with other clients.
- Buildertrend API — Available for clients on Buildertrend. Same data isolation and read-only model as Procore.
Accounting
- QuickBooks Online API — For clients who enable it, Charlie syncs receipts and certified pay applications to the client's own QuickBooks company via OAuth 2.0. Per-client tokens are stored server-side only (mode 600); each client's data goes only to that client's own QuickBooks account. No accounting data is shared across clients.
Weather Data
- Open-Meteo API — Used to pull weather data for daily briefings. Only a job site latitude/longitude is sent. No client identity or project data is transmitted. Open-Meteo is a free, open-source weather API — no account or API key required.
Internal Notifications (Operator-Only)
- Telegram Bot API — Used exclusively for internal operator alerts (new lead submissions). No client data is transmitted. Clients have no interaction with it.
All API credentials for every integration are stored in a restricted server-side credentials file (mode 600). No keys, tokens, or secrets appear in client-side code, browser traffic, or any publicly accessible location.
Compliance Documentation
Ground Up AI maintains written security documentation available to enterprise clients and prospects upon request. Available documents include:
- Architecture diagrams — system topology, service boundaries, and data flows
- Data flow diagrams — how client data moves through Charlie's pipeline
- Written security policies — access control, incident response, and data handling
To request documentation, contact Ground Up AI directly at robert@groundupai.io.
Support & SLA
Standard support — all clients
- Direct access to the Ground Up AI team — (509) 829-1257
- Automated server monitoring with immediate alerts
- Response to critical issues: within 30 minutes, 24/7
- Response to non-critical issues: within 4 business hours
- 30 days of hands-on tuning included after go-live
Enterprise clients
- Dedicated setup call and walkthrough
- Monthly check-in calls
- Priority response — 15 minutes for critical issues
- Custom SLA available upon request