MyBids.AI

Security & Trust

Enterprise-Grade Security for Your Proposals

Your RFPs, proposals, and knowledge base are protected by multi-layer security — encryption at rest and in transit, complete tenant isolation, and strict data handling policies.

AES-256 Encryption
Row-Level Security
SOC 2 Hosted
No Model Training

Core Security Principles

Every layer of MyBids.AI is designed with security as a first-class requirement, not an afterthought.

Data Encryption

AES-256 encryption at rest via Supabase (AWS). TLS 1.2+ encryption in transit for all API calls, file uploads, and browser sessions.

Tenant Isolation

PostgreSQL Row-Level Security enforces complete organization isolation at the database level. No cross-tenant data access is possible — even in the event of application-level bugs.

Access Control

Role-based access control (ADMIN / MEMBER) enforced on every API route. Organization context is validated server-side via requireOrgContext() before any data is returned.

No Data Training

Your proposals and knowledge base are never used to train AI models. Together.ai serverless inference processes data in-memory with zero retention after response.

Infrastructure & Architecture

Built on trusted, battle-tested cloud infrastructure with security at every layer.

Database

Supabase (AWS-hosted PostgreSQL) with row-level security, daily automated backups, and point-in-time recovery.

File Storage

Supabase Storage (S3-backed), encrypted at rest. All file access uses time-limited signed URLs — no public buckets.

Authentication

Supabase Auth with bcrypt password hashing, secure HTTP-only session tokens, and email verification on signup.

AI Processing

Together.ai serverless inference — your data is processed in-memory, never written to disk, and not used for model training.

Hosting

Vercel edge network with automatic HTTPS, global CDN, DDoS protection, and isolated serverless function execution.

Data Handling & Residency

Complete transparency on what we store, what we don't, and who processes your data.

What we store

  • RFP uploads and parsed content
  • Generated proposals and drafts
  • Knowledge base documents and embeddings
  • User profiles and organization settings
  • Subscription and usage records

What we don't store

  • Credit card numbers (Stripe handles all payment data)
  • Raw AI model weights or training data
  • Other organizations' data (RLS-enforced)
  • Plaintext passwords (bcrypt-hashed only)

Data Residency

All data is stored in the United States (AWS us-east-1 region via Supabase). AI inference runs on Together.ai's US-based serverless infrastructure.

Retention & Deletion

Data is retained while your subscription is active. You can request complete data deletion at any time by contacting us. We will purge all organizational data, documents, proposals, and embeddings.

Sub-processors

ProviderPurpose
SupabaseDatabase, auth, file storage
Together.aiAI inference (no data retention)
StripePayment processing
ResendTransactional email
VercelApplication hosting
PostHogProduct analytics
SentryError monitoring

Compliance Roadmap

We're actively investing in certifications and compliance frameworks that enterprise buyers expect.

TLS 1.2+ encryption in transit
Live
AES-256 encryption at rest
Live
Row-Level Security (tenant isolation)
Live
Encrypted file storage (S3-backed)
Live
Secure authentication (bcrypt + session tokens)
Live
Privacy policy & terms of service
Live
Role-based access control (ADMIN / MEMBER)
Live
SOC 2 Type I preparation
In Progress
DPA template for enterprise customers
In Progress
SOC 2 Type II audit
Planned
GDPR Article 28 DPA
Planned
Third-party penetration testing report
Planned

Security FAQs

Common questions from enterprise security and procurement teams.

Is my data used to train AI models?
No. Your proposals, knowledge base documents, and all organizational data are never used to train AI models. We use Together.ai serverless inference, which processes your data in-memory and has zero data retention after generating a response. Your content remains exclusively yours.
Where is my data stored?
All data is stored in Supabase-managed PostgreSQL databases hosted on AWS in the US (us-east-1 region). File uploads are stored in Supabase Storage (S3-backed) in the same region. All storage is encrypted at rest using AES-256.
How is tenant isolation enforced?
We use PostgreSQL Row-Level Security (RLS) policies that enforce organization-level isolation at the database layer. Every query is automatically scoped to your organization. Even if there were an application-level bug, the database itself prevents cross-tenant data access. This is verified on every API request via server-side organization context checks.
Can I get a DPA (Data Processing Agreement)?
We are actively preparing a DPA template for enterprise customers. If you need a DPA today, please contact us at security@mybids.ai and we will work with you to establish appropriate data processing terms.
What happens to my data if I cancel?
Your data remains accessible while your subscription is active. After cancellation, you can request complete data deletion by contacting us. We will remove all your organizational data, uploaded documents, generated proposals, and knowledge base embeddings from our systems.

Ready to see enterprise-grade proposals in action?

Join proposal teams who trust MyBids.AI with their most sensitive RFPs. Start free — no credit card required.

Start FreeTalk to Us About Security