Is GeoQuote SOC 2 certified?

GeoQuote should not be treated as SOC 2 certified unless a current, scoped SOC 2 report is provided. The current security story should be based on implemented app controls and managed provider controls.

Does GeoQuote encrypt CRM credentials?

Yes. Stored CRM credentials are encrypted in the application using AES-256-GCM before they are persisted.

Does GeoQuote sell shared homeowner leads?

No. GeoQuote is designed for contractor-owned quote requests captured from the contractor website, quote link, ads, QR codes, SMS, referrals, or other owned channels.

Is contractor SMS always enabled?

No. SMS behavior depends on the configured account and environment. Email, webhook, CRM, and dashboard workflows should be evaluated separately from optional SMS notifications.

Can GeoQuote support a vendor security review?

Yes. A contractor can review the active workflow, provider stack, credential handling, webhook behavior, privacy policy, and any contract-specific data requirements before rollout.

Does GeoQuote guarantee a specific hosting region?

Do not assume a specific region from this page alone. Region claims should be verified against the active Vercel, Firebase, and storage configuration for the production deployment.

GeoQuote.ai

Security and trust

Security and data handling for GeoQuote roofing and solar lead workflows.

GeoQuote captures contractor-owned quote requests. This page explains what data is handled, how credentials are protected, which providers support the platform, and where current certification limits still exist.

Read privacy policy CRM data handoff See the workflow

Short answer

GeoQuote uses provider-managed cloud security, HTTPS transport, Firebase-backed storage, and app-level encryption for stored CRM credentials. GeoQuote is not currently claiming SOC 2 or ISO certification; contractors who need a security review should evaluate the current provider stack and the specific workflow they plan to use.

AES-256-GCM

app-level encryption used for stored CRM credentials

TLS

HTTPS transport handled through hosted provider infrastructure

No SOC 2 claim

GeoQuote does not market a completed SOC 2 or ISO certification today

“A trust page should reduce uncertainty, not inflate claims. GeoQuote is built to protect contractor lead data, but we should be precise about what is implemented, what comes from providers, and what is still a roadmap item.”
— Pravin Nawkar, Founder, GeoQuote.ai

Best fit

Roofing and solar contractors who already get attention from business profiles, Facebook, SMS, QR codes, ads, referrals, or websites and need more of that interest to become reachable, verified quote requests.

Not best fit

Teams looking only for a full CRM, insurance-grade measurement report, proposal builder, or solar design platform with no need for quote-link conversion or lead capture.

Data GeoQuote handles

GeoQuote can handle homeowner contact details, submitted property address, service interest, estimate context, consent status, attribution details, lead status, and appointment context when those workflows are enabled.

Contractor-owned leads

GeoQuote is not a shared lead marketplace. Quote requests captured through a contractor quote link or widget are intended for that contractor account and its configured workflow.

Transport and hosting security

GeoQuote runs on managed web infrastructure that provides HTTPS/TLS transport and provider-managed security controls. Exact production-region and provider-control questions should be verified against the active deployment and account configuration before procurement sign-off.

Storage and credential protection

Firebase-backed storage is used for application data. CRM credentials stored by GeoQuote are additionally encrypted in the application using AES-256-GCM before persistence.

CRM and webhook risk controls

CRM handoffs are designed to be non-blocking and retry-aware. Webhook URLs are validated to reduce server-side request forgery risk before outbound events are accepted.

SMS and email providers

GeoQuote can use providers such as Twilio for verification or messaging workflows and Resend for email delivery where configured. Contractor SMS behavior depends on account and environment configuration and should not be assumed globally enabled.

AI data boundary

GeoQuote should not claim that no homeowner data ever reaches an AI provider unless that is verified for the exact workflow. Any AI-assisted copy or follow-up workflow should be reviewed separately before making customer-facing security promises.

Retention and deletion

Contractors can request account, lead, or data handling review through the normal support path. Any export, deletion, or retention commitment should be confirmed against the current product and legal policy before a contract requires it.

Certification status

GeoQuote should not be represented as SOC 2, ISO 27001, HIPAA, or PCI certified unless a completed certification or formal scope document exists. Security-sensitive buyers should receive the current provider and process summary instead of an inflated badge claim.