Security at Fedprocai
Last updated: July 11, 2026
Federal contractors trust us with proposal strategy, past performance, and pricing history — some of the most competitive information a business holds. This page describes, in plain language, exactly how that data is protected. Every statement here reflects controls that are implemented today, not a roadmap.
Tenant isolation
Row-level security on every table. Your organization's data is isolated at the database layer, not just in application code — and cross-tenant isolation is verified by automated checks in our CI pipeline on every change.
Encryption everywhere
TLS encrypts all data in transit. Data is encrypted at rest with AES-256. API credentials you supply (such as a SAM.gov key) get an additional layer of AES-256-GCM application-level encryption with integrity verification on every read.
US-hosted infrastructure
Application servers run in Washington, D.C. (Vercel iad1) and the database in AWS us-east-1 (N. Virginia). Your proposal data does not leave United States regions.
Every AI action logged
Each AI generation is recorded with the model used, the prompt, the output, and the knowledge sources retrieved — a complete audit trail your compliance team can stand behind.
Access control
Role-based access (admin, reviewer, editor) inside each organization, with TOTP multi-factor authentication available on every account.
Your data, your rights
Self-service export of your organization's data and account deletion with a 30-day recovery grace period — no support ticket required.
How AI providers handle your data
Fedprocai calls AI models exclusively through commercial API agreements (OpenAI, Anthropic, and Google), under which your inputs and outputs are not used to train their models. Administrators choose which provider and model their organization uses in Settings, and every generation is written to an organization-scoped audit log.
Application-level defenses
- Strict security headers on every response: HSTS, Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options.
- Cross-site request forgery protection on all state-changing requests, plus per-route rate limiting on authentication and AI endpoints.
- Uploaded files are validated by content signature (magic bytes), never by the filename or declared type.
- Server-side outbound requests are restricted by a host allowlist with private-network blocking to prevent server-side request forgery.
- The user activity log is append-only at the database level — audit history cannot be silently rewritten.
Monitoring, backups, and incident response
Production errors are monitored continuously, and application logs automatically redact credentials and secrets before they are written. The database supports point-in-time recovery, and we maintain written incident-response and disaster-recovery runbooks, including defined severity levels and communication steps.
Certifications
Fedprocai does not currently hold third-party certifications such as SOC 2; formal audit readiness is on our roadmap. We publish this page so you can evaluate our actual controls in the meantime — and we would rather show you real implementation details than a badge.
Reporting a vulnerability
If you believe you have found a security issue, email support@fedprocai.com with the details. We review every report and will acknowledge yours promptly. Please do not access data that is not yours while investigating.
Questions about security during procurement or vendor review? Contact us — we are happy to walk your team through any control on this page.