SOC 2 Type II
Audit in progress
Expected report available Q3 2026.
Trust · Security
Auditable by design. Not by marketing.
Every compliance claim on this page is a statement you can verify — or one we've flagged as not-yet. No security theater.
- in progress
- SOC 2
- subprocessors
- 10
- audit logs
- 90d
expected report Q3 2026
published list as of 2026-04-20
privileged-action retention window
Security posture
Current state, not sales claims
SOC 2 Type II
Audit in progress
Expected report available Q3 2026.
ISO 27001
Roadmap
Sequenced after SOC 2 Type II.
GDPR
Ready
EU data-residency roadmap + DPA available on request.
HIPAA
BAA on request
Healthcare customers with PHI data — contact sales.
Certifications & compliance.
ISO 27001
Roadmap
Sequenced after SOC 2 Type II.
GDPR
Ready
EU data-residency roadmap + DPA available on request.
HIPAA
BAA on request
Healthcare customers with PHI data — contact sales.
ISO 42001 (AI management)
Roadmap
Tracking the emerging AI governance standard.
FedRAMP
Not yet
Federal customers needing FedRAMP today: see AutogenAI.
Encryption
- TLS 1.2+ for all traffic in transit
- AES-256 at rest (Postgres + R2 + Railway volumes)
- Encrypted per-company API keys stored with application-layer AES
- Signed URLs for object-storage access (5-min upload / 2-min read TTLs)
Access control
- SAML / SSO via Okta, Azure AD, Google Workspace (Professional tier and above)
- Role-based access control (RBAC) at the company level
- Audit log for every privileged action (90-day retention)
- Separate namespace for anonymous Analyzer sessions; never joined to real data
Subprocessors.
Every third-party service that ever touches customer data. Changes get 30-day advance notice via email.
| Service | Purpose | Region |
|---|---|---|
| Cloudflare R2 | Object storage for workspace document uploads | US |
| Anthropic Claude | Proposal drafting + requirements extraction | US |
| OpenAI | Embeddings (alternate model tier) | US |
| Google AI (Gemini) | Embeddings (primary) + diagram extraction | US |
| Railway | Backend compute + Postgres hosting | US (GCP-backed) |
| Cloudflare Pages | Marketing site static hosting | Global edge |
| PostHog | Product analytics | US Cloud |
| Postmark | Transactional email | US |
| LlamaParse | Document extraction (PDF/DOCX) | US |
| Adobe PDF Services | Document extraction (PDF, optional) | US |
Security contact
Report a vulnerability, request our SOC 2 report under NDA, or ask for a DPA: security@bidforge.com
For coordinated disclosure, we commit to acknowledging within 48 hours and triaging within 5 business days.
Still evaluating?
The Grounded-AI Pledge is contractual. The Analyzer Privacy page tells you exactly what happens to uploaded files.