How we protect your data

Your bid documents, financials, and pricing strategy sit inside BidOps. We take that seriously. This page describes the controls in place and the practices we hold ourselves to. If you're doing vendor due diligence, this is the right starting point — email security@bidops.ai if you need more detail under NDA.

1. Encryption

• In transit: All connections to bidops.ai and app.bidops.ai are served over TLS 1.2 or higher. HTTP requests are redirected to HTTPS. HSTS is enabled.
• At rest: Customer data is stored in a managed Postgres cluster with AES-256 encryption at rest. Object storage (uploaded attachments) is encrypted server-side with provider- managed keys.
• Secrets: Credentials and API keys are stored in our infrastructure provider's secret manager. They are never checked into source control.

2. Access control

• Production database and infrastructure are protected by short-lived, MFA-enforced credentials. Access is granted on a least-privilege basis and reviewed quarterly.
• Customer data is logically scoped by org_id at the query layer. Cross-tenant access is rejected.
• OAuth (Google) and email/password authentication are handled by Supabase Auth with PKCE. Session cookies are HTTP-only, Secure, and SameSite scoped.

3. Hosting and locations

Application and database run on Vercel and Supabase in Canadian regions where available. Backups are encrypted and retained for 30 days with point-in-time recovery. AI inference is routed to Anthropic Claude under a commercial agreement that prohibits training on customer content.

4. Software supply chain

• All deployments go through code review and automated checks before merge.
• Dependencies are continuously monitored for known vulnerabilities via GitHub Dependabot.
• Every deployment is tied to an immutable git commit and audit log.

5. Monitoring and logging

We log authentication events, administrative actions, and application errors. Logs are retained for 90 days. Anomalous login patterns trigger alerts to the on-call engineer.

6. Incident response

We maintain a written incident response plan. In the event of a confirmed breach affecting customer data, we will notify affected account owners within 72 hours, share what we know, and follow up with remediation steps and a post-incident review.

7. Customer responsibilities

To stay safe, your team should:

• Use unique, strong passwords or sign in with Google SSO.
• Remove team members who leave the company promptly.
• Use the support email rather than chat for sensitive issues.

8. Vulnerability reporting

We welcome reports from researchers. Email security@bidops.ai with a description and reproduction steps. We commit to acknowledging valid reports within two business days and to not pursuing legal action against good-faith research conducted under these guidelines.

9. Compliance posture

BidOps is a young company. We are not yet SOC 2 certified, and we won't claim certifications we don't have. We have built our controls in alignment with the SOC 2 trust services criteria and intend to undergo a Type 1 audit in our next fiscal year. If your procurement process requires a specific attestation, contact us and we'll tell you exactly where we stand.

10. Contact

Security questions, customer due diligence, or anything sensitive: security@bidops.ai.

Last updated May 12, 2026.