Security

Last Updated: April 9, 2026

Utility LocateIQ is designed to keep your survey data secure. This page describes the security architecture, data handling practices, and protections built into the app and platform.

Pass-Through Architecture: Utility LocateIQ does not host, process, or retain customer survey data on Utility LocateIQ-operated infrastructure. Survey data is stored on-device and syncs directly to your existing ArcGIS Online or Subsurface Maps account. The systems that hold your data (Esri, Diamond Maps) maintain their own SOC 2 and security certifications.

No Central Data Store

Utility LocateIQ does not operate a central server that stores your survey data. Your maps, points, lines, and photos stay on your device and in your own mapping accounts.

Direct-to-Provider Sync

Data syncs directly between your device and ArcGIS Online or Subsurface Maps. Utility LocateIQ never sits between you and your mapping provider.

On-Device Processing

GPS data, BLE sensor readings, photo analysis, and coordinate transformations all happen locally on your device. Nothing is sent to Utility LocateIQ.

OAuth Authentication

Utility LocateIQ never sees or stores your ArcGIS password. Authentication uses industry-standard OAuth 2.0 with token-based sessions.

Data Flow Architecture

Understanding where your data goes is the foundation of trust. Here is how data moves through Utility LocateIQ:

Your Device ├── GPS/GNSS Receiver ──→ Coordinates stay on device ├── Survey Locator (BLE) ──→ Measurements stay on device ├── Camera ──→ Photos stored locally in project folder ├── Local SQLite DB ──→ All survey data cached on device │ ├── Sync (your choice) ──→ ArcGIS Online (your account) ├── Sync (your choice) ──→ Subsurface Maps (your account) └── NTRIP corrections ──→ Your NTRIP provider (you configure) Utility LocateIQ servers receive: None of the above

Authentication & Credentials

ArcGIS Sign-In

OAuth 2.0 flow — your password is entered on Esri's servers, never in Utility LocateIQ
Utility LocateIQ receives only an access token and refresh token
Tokens are stored in the iOS Keychain (hardware-encrypted)
Tokens are cleared on sign-out

Subsurface Maps Sign-In

Session-based authentication with the Subsurface Maps API
Session cookies are stored in the app's secure cookie storage
Sessions expire and are refreshed automatically
Credentials are cleared on sign-out

Utility LocateIQ Account

Supabase-hosted authentication with email/password
Passwords are hashed server-side (bcrypt) — never stored in plain text
JWT tokens used for session management
Row Level Security (RLS) ensures company data isolation

On-Device Data Security

iOS App Sandbox: All app data is stored within the iOS sandbox, inaccessible to other apps
Hardware encryption: iOS encrypts all app data at rest when the device is locked (Data Protection class)
Keychain: Authentication tokens and sensitive credentials are stored in the iOS Keychain, which uses hardware-backed encryption
No jailbreak detection bypass: The app does not attempt to access data outside its sandbox

Network Security

HTTPS everywhere: All network communication uses TLS 1.2+ encryption
App Transport Security: iOS ATS is enabled — the app cannot make insecure HTTP connections
No tracking: No analytics SDKs, no advertising identifiers, no third-party tracking pixels
Minimal network surface: The app only communicates with services you explicitly sign into

Bluetooth Security

BLE connections are made only to devices you explicitly pair (GNSS receivers, survey loggers)
The app scans only for known device name patterns — it does not enumerate all nearby Bluetooth devices
BLE data (NMEA sentences, RTK corrections, sensor measurements) is processed locally and never transmitted over the network
Connections are terminated when the app is closed or the user disconnects

Multi-Company Data Isolation

For organizations using the Utility LocateIQ cloud platform:

Row Level Security (RLS) enforces complete data separation between companies at the database level
Users can only access data belonging to their assigned company
Company administrators control data retention policies, including hard-delete vs. soft-delete settings
User transfers between companies are audited

Encryption

Data at Rest

SQLCipher AES-256 — all local survey data is encrypted in the on-device database
iOS Keychain — encryption keys, authentication tokens, and credentials are stored in hardware-backed encrypted storage
Complete File Protection — photo files are encrypted by iOS and inaccessible when the device is locked
AGM calibration photos — stored as encrypted BLOBs directly in the SQLCipher database

Data in Transit

TLS 1.2+ for all API communication
App Transport Security (ATS) enforced — no insecure HTTP connections permitted
NTRIP credentials stored in Keychain and redacted from all logs

Offline Access PIN

Optional 6-digit PIN for offline access protection
Hashed with PBKDF2-HMAC-SHA256 (300,000 iterations) with unique per-user salt
Stored in iOS Keychain — never in plain text
Rate limiting: 5 failed attempts triggers a 30-second lockout
Configurable "Lock On Return" timeout: Off, 30s, 45s, 1–5 minutes

Data Deletion & Retention

Soft delete (default): Features are timestamped and retained locally for 30 days before permanent purge. On ArcGIS, deleted features are marked with "[DELETED <timestamp>]" for audit trail.
Hard delete (optional): Permanently removes features from local storage and cloud services immediately. Requires explicit company policy approval — not user-configurable.
Delete mode is controlled via company/license policy, ensuring organizational compliance
Sign-out clears all authentication tokens, session data, and cached credentials
App uninstall removes all locally stored data from the device

Compliance Posture

Utility LocateIQ's pass-through architecture means customer survey data never resides on Utility LocateIQ-operated infrastructure. The services that store your data — Esri ArcGIS Online and Diamond Maps (Subsurface Maps) — maintain their own compliance certifications.

Utility LocateIQ has not undergone a formal SOC 2 audit — our architecture minimizes the compliance surface by not hosting customer data
A detailed Security Controls & Compliance Mapping document (mapping to SOC 2 TSC and ISO 27001 Annex A controls) is available in the app under Settings > About
Enterprise customers requiring formal security documentation can request our compliance mapping at brent@subsurfacesolutions.com

Permission Usage Summary

Permission	Purpose	When Active
Location (Precise)	GPS coordinates for survey points	While surveying
Location (Background)	Maintain GPS during BLE device connection	Only when GNSS device connected
Bluetooth	Connect GNSS receivers & survey loggers	When user connects a device
Camera	Capture photos as map feature attributes	When user taps photo button

All permissions can be denied. The app continues to function with reduced capabilities and explains what features require each permission.

Responsible Disclosure

If you discover a security vulnerability in Utility LocateIQ, please report it to us directly. We take all reports seriously and will respond promptly.

Security Contact:
Email: brent@subsurfacesolutions.com