Trust center · One page · Every claim is linked

Where you go before you sign anything.

Systems operational
Status page live
status →

Security, privacy, terms, data-processing addendum, status, and the responsible-disclosure path: collected on one page so procurement and security review never has to triage tabs.

Certifications & postureHonest status, every item
● Live
NYC MBE
Cert #MWCERT2022-353 · exp 2027-05-31
● In review
NMSDC
NY/NJ MSDC · application paid 2026-05-12
● In review
SBA 8(a)
Application submitted 2026
● In progress
GSA MAS
Pre-award package in preparation
● Live
GDPR
Honored · DPA available on request
● Live
CCPA
Honored · state-law equivalents
● Live
E-Verify
Enrolled
● Live
SAM.gov
Registered through 2027-03-11
The six surfaces · Click into the deep linksEach maintained separately
Security

Security

Encryption, access control, the team that owns response, and how we engineer for least-privilege end-to-end.

Reviewed May 2026Open →
Privacy

Privacy

What we collect, why, how long we keep it, and how we honor data-subject requests. GDPR + CCPA + state-equivalent.

Reviewed Apr 2026Open →
Terms

Terms of service

Subscription terms, acceptable use, IP, indemnification, and dispute resolution. Plain-language drafted, counsel-reviewed.

Reviewed Mar 2026Open →
DPA

Data Processing Addendum

Pre-signed DPA for GDPR + CCPA, including SCC for EU data transfer. Add the appendices and counter-sign.

Reviewed Apr 2026Open →
Live

Status page

Component-level uptime, incident timeline, and post-mortems for customer-affecting events.

LiveOpen →
Policy

Responsible disclosure

Coordinated-disclosure path with safe-harbor language. Email security@trygovbidai.com with reproducible findings.

Reviewed Feb 2026Open →
StatusLive

Status & incident log

Component-level uptime, incident timeline, and post-mortems are published on our live status page. Customer-affecting incidents are posted within 15 minutes of confirmation; root-cause write-ups are published after each Severity-1 event.

Subscribe at the status page to receive email or webhook alerts on any state change.

Live status
All components operational

Status data is published from our live monitoring; this card reflects the current state at page-load time. Historical incidents and uptime data live on the status page.

Open status page →
Subprocessors · 7

Every vendor with access to customer data, listed.

We notify customers 30 days before adding any new subprocessor. The current list, with each vendor's purpose and data-residency region:

VendorPurposeRegion
SupabaseDatabase, auth, storageUS
RailwayApplication hostingUS
CloudflareCDN, DNS, edge functionsGlobal, US POPs
StripeBilling & subscriptionsUS
AnthropicLLM inference for product featuresUS
SendGridTransactional emailUS
PostHogProduct analyticsUS
SentryError monitoringUS
Data residency

Where your data lives.

Customer data is stored in the United States. Our database, hosting, edge, and analytics subprocessors all operate in US regions. EU and dedicated regional tenancy are on the roadmap; we will notify customers when they are generally available.

Contact us about residency requirements →
Responsible disclosure · Safe harbor in scope

If you find something, tell us. We credit, we patch, we follow up.

We welcome coordinated disclosure of security issues. Email the address at right with a clear repro and your preferred credit. We will acknowledge receipt and keep you posted as we work the fix.

Contact
security@trygovbidai.com
PGP key available on request
Response
We acknowledge reports within 2 business days
Scope
trygovbidai.com and the GovBidAI app