The Pain Point Nobody Talks About
If you've ever worked with a general contractor, you know about Certificates of Insurance. Every subcontractor needs one. Every policy expires. And somehow it's always the GC's office manager drowning in PDFs, Excel spreadsheets, and expired coverage nobody caught.
Construction companies manage 20-200+ subcontractors. Each sub carries GL, auto, workers comp, umbrella policies. Each policy has different limits, different expiration dates. One lapse in coverage on a jobsite and the GC is personally liable. It's a compliance nightmare that costs the industry billions in uninsured claims every year.
I built VendorShield to fix it.
The Stack
Frontend: Next.js 15 with server components. The dashboard renders server-side for fast initial loads, then hydrates for interactive filtering and real-time status updates.
Database: Supabase (Postgres). The schema has 7 tables with row-level security: organizations, vendors, COI documents, compliance requirements, compliance checks, audit logs, and user profiles. 25+ indexes for query performance on the compliance check joins.
AI Layer: When a user uploads a PDF certificate, pdf-parse extracts the text, then Llama 3.3 70B (via Groq) parses out policy numbers, coverage types, limits, effective/expiration dates, named insureds, and additional insureds. The model also generates a risk score 0-100 with specific flags.
Auth: Supabase magic links. No passwords to manage.
Payments: Stripe with 14-day free trial. Three tiers at $49/$99/$149 per month based on vendor count.
Email: AWS SES for vendor invite links and expiration alerts.
The Compliance Engine
This is where it gets interesting. GCs don't just need to know "does this sub have insurance." They need to verify:
- GL limits meet their minimum (usually $1M/$2M)
- Workers comp is active in the right state
- The GC is listed as additional insured
- The policy hasn't expired since the COI was issued
- Umbrella coverage meets the project contract requirements
I built a rules engine where GCs define their requirements per vendor category (electrical, plumbing, roofing, etc.) and VendorShield automatically checks every uploaded COI against those rules. Non-compliant vendors get flagged immediately.
Vendor Self-Serve Portal
The viral growth mechanic: when a GC invites a subcontractor to upload their COI, the sub gets a token-based link. No account needed. Upload the PDF, done. The sub sees their compliance status, the GC gets the parsed data instantly.
This creates a natural GC-to-sub distribution loop. Every vendor invite is a potential new GC signup when that sub works with other contractors.
What I Learned
PDF parsing is messy. ACORD forms (the standard COI format) vary wildly between insurance agencies. Some are scanned images, some are fillable PDFs, some are hand-typed. The AI layer handles the variation better than any regex-based parser could.
Compliance rules are surprisingly complex. Different states, different project types, different contract requirements. The rules engine needed to be flexible enough to handle arbitrary conditions without becoming a spreadsheet.
Construction moves slow on software adoption. The industry still runs on fax machines and 3-ring binders. The product needs to be dead simple or it won't get adopted.
If you're a GC or property manager dealing with vendor insurance headaches, try it out: vendorshield.app. Free 14-day trial, no credit card required upfront.
Happy to answer any questions about the architecture or the construction compliance space.
Top comments (0)