GovBidAI is built for customers whose own customers (federal, state, and local governments) hold them to a higher security bar than most B2B SaaS. This page is the working reference of what that means in our product, written in plain English.
01Encryption
All customer data is encrypted in transit (TLS 1.3) and at rest (AES-256). Encryption keys are managed by our cloud and database providers; we follow the providers' guidance on key rotation. Backups are encrypted with a separate key set from production.
02Access control
Production access is granted by role, requires MFA, and is logged. Engineering access to customer data is reviewable: we cannot silently read customer content without leaving an audit trail. Elevation for non-routine debugging requires an explicit ticket.
- Email + password with MFA for all accounts (SSO on the roadmap for Enterprise)
- Role-based access with least-privilege defaults
- Audit log retention sized to plan (Enterprise extends on request)
- Provider-managed encryption keys by default
03Hosting & residency
Production runs on US-region cloud infrastructure (Supabase for database, auth, and storage; Railway for application hosting; Cloudflare for CDN, DNS, and edge functions). Customer data is stored in the United States. EU and dedicated regional tenancy are on the roadmap; we will notify customers when they are generally available.
04Vulnerability management
Continuous dependency scanning, application-level error monitoring (Sentry), and routine review of platform advisories from our cloud providers. Critical findings are remediated as soon as a reliable fix is available; lower-severity findings are tracked against an internal SLA.
05Incident response
Engineering on-call covers customer-affecting alerts. Customer-affecting incidents are posted to our status page when confirmed; post-incident write-ups are published for Severity-1 events with the customer-affecting timeline, root cause, and the follow-ups we commit to.
06Auditing & evidence
Customer-visible audit logs are available via the product UI and API; on Enterprise plans, logs can be exported on request. Reports can be filtered by user, action, record, and time range. Log retention is sized to plan.
07Certifications & posture
Honest current posture: NYC MBE certified (cert #MWCERT2022-353, exp 2027-05-31). NMSDC NY/NJ MSDC application paid 2026-05-12 (decision expected late 2026). SBA 8(a) application submitted 2026 (under review). NYS MWBE application queued for 2026-Q3. GSA MAS pre-award package in preparation. GDPR honored (DPA available on request). CCPA and state-equivalent rights honored. E-Verify enrolled. SAM.gov registered through 2027-03-11. If your contract requires a specific third-party security attestation that is not listed here, contact us before signing so we can scope the gap honestly.
08Contact security
For vulnerability disclosure: security@trygovbidai.com (PGP key available on request). For audit, privacy, or vendor-security review inquiries: trust@trygovbidai.com. We acknowledge security reports within 2 business days.