Security.
Last updated: 2026-05-02
This page describes how BidFit handles your data, what we store, who processes it on our behalf, and how we communicate when something goes wrong. It's written for procurement officers, IT leads, and anyone evaluating BidFit before paste a tender URL.
What we store
- Tender notice content: the URL you paste and the publicly available text we fetch from it. These are public procurement documents.
- Generated briefs: the JSON verdict object we produce, keyed to a brief ID. Stored for retrieval after email capture.
- Company profile data (when you create one): NAICS codes, service provinces, certifications, capability statement, and the other fields you enter. Visible only to you.
- Email address (when captured): used to deliver briefs and product updates you opt into.
- Standard web telemetry: page views, button clicks, form submissions via Google Tag Manager. No third-party advertising cookies are placed without consent.
We do not store full attachment files (RFP PDFs, addenda) — only notice metadata extracted from public listing pages.
Encryption
- In transit: all traffic to bidfit.ca is HTTPS/TLS 1.3. HTTP is redirected to HTTPS at the edge. SSL certificates are auto-managed by our hosting provider.
- At rest: data stored by our hosting provider is encrypted at rest using AES-256.
- API keys and secrets are stored as encrypted environment variables, never in source code. Sensitive values are scoped to production with no developer-environment access.
Authentication
Account-based features are coming in a later release. The current free flow does not require authentication beyond email capture for brief delivery. When accounts launch, we will use industry-standard password hashing (bcrypt) and offer SSO (Google, Microsoft) for teams.
Third-party processors
BidFit is a small operation that relies on a short list of vetted vendors:
| Vendor | Purpose | Data shared |
|---|---|---|
| Vercel (US East) | Hosting + serverless compute + edge cache | All site traffic, request logs |
| Anthropic | Claude API for tender scoring | Tender notice text + your company profile (per request, not retained for training) |
| Google (Analytics, Tag Manager) | Site analytics | Aggregated event data, no PII |
| Meta (Pixel) | Retargeting pool building | Page views, anonymized event triggers |
Anthropic's API does not use customer inputs to train models (per their commercial terms). When we add Stripe for payments, we will update this list before processing the first transaction.
Breach notification
If we discover a security incident affecting customer data, we will notify affected users by email within 72 hours of confirming the scope. We will publish a public post-mortem within 14 days describing what happened, what data was involved, and what we changed to prevent recurrence. This commitment exceeds PIPEDA's "as soon as feasible" requirement.
Vulnerability reporting
If you find a security vulnerability, please email us before disclosing publicly. We will acknowledge receipt within 24 hours and provide a fix timeline within 7 days. We don't operate a paid bounty program yet, but we publicly thank reporters who find substantive issues (with permission).