Security

Data at rest

All customer data is stored in a managed Postgres database with AES-256 encryption at rest, including daily snapshots, WAL archives, and object storage for uploaded files. Database credentials are managed through short-lived service-role tokens never exposed to browser clients. Backups are encrypted and retained for 7 days with point-in-time recovery.

Data in transit

Every connection to ContractsIntel — from your browser to the app, from the app to our database, and from our workers to SAM.gov / Grants.gov / USASpending — uses TLS 1.2 or higher with modern cipher suites. HTTP is never accepted; all requests to the production domain are HSTS-preloaded and redirected to HTTPS.

Tenant isolation

Every table that stores customer data has row-level security (RLS) policies that scope reads and writes to rows owned by the authenticated user's organization. The application layer never bypasses RLS on user-facing routes — service-role access is reserved for background workers (SAM ingestion, digest generation) and the bearer-token API path, which re-scopes every query to the API key's organization before executing.

That means a compromised user in one tenant cannot read another tenant's opportunities, pipeline, past performance, proposals, compliance matrices, or Bid Assist threads — the database itself enforces the boundary.

Authentication

User accounts are managed through Supabase Auth with email + password or OAuth. Passwords are hashed with bcrypt; session cookies are HttpOnly, Secure, SameSite=Lax, and rotate on every sign-in. We support SSO via Google OAuth and have a path for SAML on the Team tier.

Public API keys are generated as 32-byte random tokens, stored as SHA-256 hashes in the database (we never persist the plain key), prefixed for user recognition, and can be soft-revoked at any time from the dashboard.

SOC 2 roadmap

ContractsIntel is pursuing SOC 2 Type II attestation. Current status:

• Type I readiness — policies, access reviews, and vendor inventory in place
• Observation period — 6-month evidence collection begins after policy freeze
• Audit — Type II audit scheduled with a Big-4 auditor

While the audit is in progress, enterprise prospects can request our security questionnaire, penetration-test summary, and vendor subprocessor list under NDA.

Vulnerability management

Production dependencies are scanned for known CVEs on every build; high-severity advisories block deploys. Quarterly third-party penetration tests cover the web app, API, and authentication surface. We operate a coordinated-disclosure program — please report suspected vulnerabilities to security@contractsintel.com and we will acknowledge within one business day.

Incident response

We maintain a written incident-response runbook with on-call rotation and a 72-hour breach-notification commitment to affected customers. Every production change is audit-logged, and high-severity incidents trigger a post-mortem that is shared with enterprise customers under their MSA.

Data handling for federal work

ContractsIntel is designed to help small contractors pursue federal opportunities, but it is not an authorized system for processing CUI, ITAR, or classified information. Do not upload classified material, controlled technical data, or ITAR-regulated content to the platform. For CMMC Level 2+ workloads, contact us about our compliant deployment roadmap.