Security & Privacy

Bid Refinery is built for organisations that handle sensitive procurement data. This article explains our security architecture and your data rights.

Data storage

• All data is stored in the European Union (Supabase hosted on AWS EU-West)
• Tender documents and library files are stored in encrypted object storage
• Database rows are encrypted at rest using AES-256

Encryption in transit

All communication between your browser, our servers, and third-party AI providers uses TLS 1.2 or higher. We do not downgrade to insecure protocols.

AI processing

Your tender content and library files are sent to Anthropic's Claude API for processing. Anthropic's enterprise data handling applies:

• Data is not used to train models
• No persistent storage on Anthropic's side beyond the request lifecycle
• EU-based data subjects: processing occurs under SCCs

We never send your data to any other AI provider.

Access controls

• Role-based access control (RBAC) with five permission levels
• Every action is audit-logged with timestamp, user, and IP address
• Audit logs are retained for 90 days and are available to Owners on request

Authentication

• Password authentication uses bcrypt hashing with a minimum cost factor of 12
• OAuth (Google) authentication uses standard PKCE flow
• Sessions expire after 24 hours of inactivity

GDPR

Bid Refinery is GDPR-compliant for UK and EU data subjects.

• Right of access: Export all your data from Settings > Privacy > Export Data
• Right to erasure: Delete your account from Settings > Privacy > Delete Account. All personal data is purged within 30 days.
• Data Processing Agreement (DPA): Available at bidrefinery.com/dpa

Reporting security issues

Please disclose vulnerabilities responsibly to security@bidrefinery.com. We aim to respond within 24 hours.