Built to pass your IT review.
Written for the person who has to approve the install. Every claim on this page comes from the shipped code. Updated July 2026.
The short version
Paste this straight into the ticket:
Fulcrum VDC tools are small Windows desktop apps and Revit add-ins. They process project files locally — drawings, PDFs, and models never upload. Application traffic is HTTPS-only to a single host, hub.fulcrumvdc.com (sign-in, license check, and anonymous usage counts). The NWC Exporter Installer additionally downloads Autodesk's official exporter packages directly from Autodesk's own servers. Payment cards are handled end-to-end by Stripe. Downloads ship as ZIPs with SHA-256 checksums published at www.fulcrumvdc.com/security.html.
Network footprint
Firewall allowlist: hub.fulcrumvdc.com:443. That's the
only host our application code talks to — for the NWC Exporter
Installer, also allow Autodesk's download servers
(*.autodesk.com and *.autodesk.net —
some exporter packages, including Revit 2024's, are served from
damassets.autodesk.net), because it fetches the official
exporter installers straight from Autodesk rather than re-hosting them.
All connections are TLS.
| Endpoint | Purpose | When |
|---|---|---|
POST /api/auth/login | Sign-in | Once per sign-in; sessions persist |
POST /api/devices/register | Ties the install to your account | First run per machine |
GET /api/license/check | Confirms trial/plan state | Before a tool runs |
POST /api/usage | Reports usage counts (see below) | After a job completes |
POST /api/contact | In-app support requests | Only when you use Help → Contact |
GET /api/exporters/manifest | NWC Exporter Installer only — the current map of Autodesk exporter downloads (no sign-in) | At launch |
POST /api/grant-codes/redeemPOST /api/credits/notify-admins | Code redemption · low-credit alerts | Only on explicit user action |
What never leaves your machines
File processing is local — QR Splitter reads and writes PDFs with local libraries; the Revit add-ins run inside your Revit session. The complete usage payload our apps send is four fields:
{ "product": "qr-splitter", "qty": 8, "labels": 437, "idempotency_key": "…" }Counts, not content. No file names, no file paths, no document data, no model data — there is no endpoint that accepts file contents.
Connectivity model
- Online license check. Tools confirm license state with the Hub before running. If the Hub is unreachable, the tool tells you and declines to run — it fails closed rather than degrading silently.
- Offline-tolerant billing. Usage counts queue in a durable local outbox and sync when connectivity returns, de-duplicated by idempotency key — an outage never causes lost or doubled billing.
- No background chatter. These tools reach the Hub to sign in, to license a run, to fetch the exporter map (NWC Installer only), and when you use an account action — nothing else. No analytics or telemetry beacon phoning home. (Floating-license tools sold separately send a periodic keep-alive to hold your shared seat while open.)
Verify your download
Every download is delivered as a ZIP (or a plain .exe on request) through the Hub. Check the SHA-256 before you install:
Get-FileHash .\qr-splitter-2.1.4.zip -Algorithm SHA256| Product | Version | File | SHA-256 |
|---|---|---|---|
| QR Splitter | 2.1.4 | ZIP | 12df783eb457acc5b90e16993aa0fe5483c1b33ca18e839b0b3175a63735a394 |
| EXE | c3fdbb7ed86172bf6e5ba9640821060fb515ead6169237c4723bd7473f06b4dc | ||
| NWC Exporter Installer | 1.1.1 | ZIP | ff209e2e25a9d3a2fd7c60bc741cdf16ccae2dc7e5f9222c4ada59f65c27827f |
| EXE | 64b862ff2e5f7b72aaa1eb5aab882448bc47c085d34873e337e921fd93ef2cdc | ||
| Bulk Export | 1.2.0 | ZIP | 7f10848efdf1b306eaaf829dad7463f910147ea73ec404ae5e5874e07c387535 |
| EXE | 60058e14bb7434aae6b4a735b398c92bbab7780c05cd4327f453276f657a315a | ||
| Room Tags 3D | 1.0.0 | ZIP | a0441993283c11571de175da992fc68c6d1063b8a6d8d893cf1f99ce08b14f09 |
| EXE | 66375c03bff6a3909d83dbf4e00263e8da297aaab0d114d34ff849ec629eda6c | ||
| Unistrut | 1.0.0 | ZIP | f8c78dbac92ae1fc69479bda75effb4d7f7b6aec0d0b5ed3b65f9229386268de |
| EXE | 91d7a94551553dc9cc84d9ad8d5a5fdf5c7e3f2fe3291b722b7e270e6a53a0db |
Code signing — where we are, honestly
Current builds are not yet Authenticode-signed, so Windows SmartScreen may show "Windows protected your PC" on first launch (More info → Run anyway). An OV code-signing certificate was purchased in July 2026 and signed builds ship as soon as organization validation completes. Until then, the checksums above are your integrity check — and the reason we publish them.
Platform security
- Transport: HTTPS everywhere with HSTS; the apps
talk only to
hub.fulcrumvdc.comover TLS (validated against the system trust store). - Credentials: passwords stored only as salted bcrypt hashes; sign-in endpoints are rate-limited; download forms are bot-checked (Cloudflare Turnstile).
- Payments: collected and stored by Stripe. Card numbers never touch our servers.
- Web hardening: an enforced Content-Security-Policy on this website (report-only rollout on the Hub), strict security headers on both, and CSRF protection on account actions.
- Infrastructure: backend on Fly.io (US), site on Cloudflare, transactional email via Postmark, error monitoring via Sentry. Full data practices in the Privacy Policy.
Questions or a security concern?
Send your security questionnaire or report an issue through the contact form — security reports go to the top of the queue.