Security
BidClarity · Last updated: April 2026
BidClarity is a small, focused team. We are honest about our security posture: we use industry-standard hosted services, keep infrastructure minimal, and apply security controls appropriate to our current scale. Here is exactly what we do and do not do — across both BidClarity Intelligence (find and win) and BidClarity Fulfill (post-award delivery).
What is secured
✓
Payments — Stripe PCI DSS Level 1. BidClarity never stores, transmits, or touches your payment card details. All billing is processed by Stripe, a PCI DSS Level 1 certified payment processor. Card data is tokenised at entry and never reaches BidClarity's servers. You can manage your subscription, update payment methods, and cancel at
billing.bidclarity.ai.
✓
Subscriber profiles and Fulfill records — access controlled. Your subscriber profile (capability keywords, NAICS codes, certifications) and your Fulfill records (contracts, deliverables, supplier contact details, invoices) are stored with strict per-subscriber access controls. No subscriber can access another subscriber's profile or Fulfill data. Profile and Fulfill data are not publicly accessible.
✓
Credentials and secrets — never in source code. No credentials or secret keys are stored in source code or version control. All secrets are managed securely as environment variables and are only accessible to the running application.
✓
Email — DKIM, SPF, and DMARC authenticated. All BidClarity emails are sent from the bidclarity.ai domain with DKIM signatures, SPF records, and DMARC policy configured. This prevents email spoofing and ensures reports and deliverable reminders land in your inbox rather than spam.
✓
Scoring and matching engines — encrypted in transit. Your capability profile (Intelligence) and category / geography signals (Fulfill supplier matching) are transmitted to BidClarity's scoring and matching engines over encrypted connections (TLS 1.2+). Queries are submitted as one-time requests per report or workflow cycle and are not retained by the AI provider between cycles.
✓
HTTPS everywhere. The BidClarity website, portal, and Fulfill portal all use HTTPS. All unencrypted requests are redirected automatically.
What your data contains (and does not)
Your BidClarity data describes your business, your contracts, and the suppliers you work with — it does not contain sensitive personal, financial-institution, or authentication data that would create meaningful risk if accessed.
✓
Capability profile — products, services, and industry classification (business information, not personal information)
✓
Business category codes (NAICS and equivalents) — publicly defined industry classifications
✓
Revenue range and financial capacity — stored as range buckets (e.g. "$500K–$2M"), not specific figures
✓
Fulfill contract records — contract number, agency, deliverable deadlines, invoice status (your operational records)
✓
Supplier contact records — business email, phone, and location that you enter to manage your supply chain
✗
No government portal credentials — BidClarity never requests or stores logins to SAM.gov, CanadaBuys, EU TED, UNGM, the World Bank procurement portal, or any other source portal
✗
No banking credentials, tax identification numbers, or government registration passwords
✗
No advertising — BidClarity never sells, shares, or uses subscriber data, contract data, or supplier data for advertising purposes
Data protection
✓
Data at rest. Subscriber profile data, Fulfill contract and supplier records, and procurement intelligence records are stored in an encrypted relational database managed by our cloud infrastructure provider. Backups are encrypted and retained for 7 days with automated daily snapshots.
✓
Data backups and recovery. Automated daily database backups are maintained with point-in-time recovery capability. Our target recovery time objective (RTO) is 4 hours for a complete infrastructure failure.
✓
Subprocessor security. BidClarity uses a small number of vetted third-party service categories — application hosting, AI inference, transactional email, website analytics, and payment processing (Stripe, PCI DSS Level 1). Each subprocessor is contractually bound to maintain data security standards consistent with their industry certifications. Categories and regions are listed in our
Privacy Policy; specific provider names are available on request under NDA for enterprise evaluation.
✓
AI provider contracts. Our contracts with AI inference providers prohibit the use of your profile, contract, or supplier data to train their foundation models. Queries are ephemeral.
Incident response
In the event of a confirmed data breach affecting subscriber data, BidClarity will notify affected subscribers by email within 72 hours of becoming aware of the incident, consistent with our obligations under BC PIPA, PIPEDA, GDPR, and applicable privacy law. Notifications will describe the nature of the incident, the categories of data affected (including whether Fulfill contract or supplier records are involved), steps taken, and any actions recommended for subscribers. Security incidents can be reported to security@bidclarity.ai.
Security certifications
BidClarity does not currently hold SOC 2, ISO 27001, or FedRAMP certification. We are committed to transparency about our current posture. SOC 2 Type II preparation is underway with an accredited auditor. If your organisation requires a specific compliance certification for vendor approval, please contact us at hello@bidclarity.ai to discuss your requirements — enterprise subscribers may receive in-progress evidence and a target attestation date under NDA.
Penetration testing
Formal third-party penetration testing has not yet been conducted at our current scale. Our codebase is reviewed internally for common vulnerability classes (injection, authentication bypass, broken access control, insecure deserialisation) during development. Enterprise subscribers who require evidence of third-party security testing should contact us at hello@bidclarity.ai to discuss scope and timing.
Responsible disclosure
If you discover a security vulnerability in BidClarity, please report it to security@bidclarity.ai with "Security" in the subject line. We will acknowledge receipt within 24 hours and aim to resolve valid reports within 30 days. We ask that you do not publicly disclose vulnerabilities before we have had the opportunity to address them. We do not currently offer a formal bug bounty programme but will acknowledge contributors in our security changelog.
Questions
For any security-related question: hello@bidclarity.ai. We respond within 1 business day.