Skip to main content

Security at Fedprocai

Last updated: July 11, 2026

Federal contractors trust us with proposal strategy, past performance, and pricing history — some of the most competitive information a business holds. This page describes, in plain language, exactly how that data is protected. Every statement here reflects controls that are implemented today, not a roadmap.

Tenant isolation

Row-level security on every table. Your organization's data is isolated at the database layer, not just in application code — and cross-tenant isolation is verified by automated checks in our CI pipeline on every change.

Encryption everywhere

TLS encrypts all data in transit. Data is encrypted at rest with AES-256. API credentials you supply (such as a SAM.gov key) get an additional layer of AES-256-GCM application-level encryption with integrity verification on every read.

US-hosted infrastructure

Application servers run in Washington, D.C. (Vercel iad1) and the database in AWS us-east-1 (N. Virginia). Your proposal data does not leave United States regions.

Every AI action logged

Each AI generation is recorded with the model used, the prompt, the output, and the knowledge sources retrieved — a complete audit trail your compliance team can stand behind.

Access control

Role-based access (admin, reviewer, editor) inside each organization, with TOTP multi-factor authentication available on every account.

Your data, your rights

Self-service export of your organization's data and account deletion with a 30-day recovery grace period — no support ticket required.

How AI providers handle your data

Fedprocai calls AI models exclusively through commercial API agreements (OpenAI, Anthropic, and Google), under which your inputs and outputs are not used to train their models. Administrators choose which provider and model their organization uses in Settings, and every generation is written to an organization-scoped audit log.

Application-level defenses

  • Strict security headers on every response: HSTS, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options.
  • Cross-site request forgery protection on all state-changing requests, plus per-route rate limiting on authentication and AI endpoints.
  • Uploaded files are validated by content signature (magic bytes), never by the filename or declared type.
  • Server-side outbound requests are restricted by a host allowlist with private-network blocking to prevent server-side request forgery.
  • The user activity log is append-only at the database level — audit history cannot be silently rewritten.

Monitoring, backups, and incident response

Production errors are monitored continuously, and application logs automatically redact credentials and secrets before they are written. The database supports point-in-time recovery, and we maintain written incident-response and disaster-recovery runbooks, including defined severity levels and communication steps.

Certifications

Fedprocai does not currently hold third-party certifications such as SOC 2; formal audit readiness is on our roadmap. We publish this page so you can evaluate our actual controls in the meantime — and we would rather show you real implementation details than a badge.

Reporting a vulnerability

If you believe you have found a security issue, email support@fedprocai.com with the details. We review every report and will acknowledge yours promptly. Please do not access data that is not yours while investigating.

Questions about security during procurement or vendor review? Contact us — we are happy to walk your team through any control on this page.

We respect your privacy.

Fedprocai uses functional cookies to keep you signed in. With your consent we also use analytics cookies to understand how the product is used and improve it. You can change this any time. Read our privacy policy.