Interactive demo — no signup

See cited answers, before you trust them

A sample vendor security assessment, answered the RFP.ai way: every answer cited to source documents, scored for confidence — and one deliberately routed to a human, because the knowledge base couldn't back it.

Sample project

Northwind Procurement — Vendor Security Assessment

Sample data — fictional sources

Q1. Describe your data encryption practices at rest and in transit.
All customer data is encrypted at rest using AES-256 and in transit using TLS 1.3. Encryption keys are managed through a dedicated KMS with annual rotation and access restricted to the infrastructure team.
Security_Whitepaper_2026.pdf· p. 4Encryption_Policy_v2.docx· §3.1high · trust 94/100
Q2. Do you support single sign-on (SSO) via SAML 2.0?
Yes. SAML 2.0 SSO is supported on the Enterprise plan, including SP-initiated and IdP-initiated flows. Okta, Entra ID, and Google Workspace are validated identity providers; SCIM provisioning is available on request.
SSO_Implementation_Guide.docx· §2high · trust 91/100
Q3. How often do you perform penetration testing, and can you share results?
An independent penetration test is performed annually by a CREST-accredited firm, with critical findings remediated within 30 days. An executive summary letter is available to customers under NDA.
Pentest_Summary_2025.pdf· p. 1–2medium · trust 78/100
Q4. Where is customer data hosted, and can data residency be guaranteed?
Production data is hosted in EU data centers (Frankfurt, Dublin) by default. EU data residency commitments are documented in the DPA, and no customer content is transferred outside the EEA without SCCs in place.
DPA_v3.pdf· §5Security_Whitepaper_2026.pdf· p. 9high · trust 96/100
Q5. Provide a current list of subprocessors and your change-notification process.
Held for reviewDraft withheld — the most recent approved subprocessor list in the knowledge base is older than 12 months, so this answer was routed to a reviewer instead of being auto-drafted.
Subprocessor_List_2024.xlsx· outdatedlow · trust 41/100
Routed to Security lead — source older than 12 months. The reviewer answers once; the approved answer is reused everywhere after that.
Q6. What is your incident response SLA for security events affecting customer data?
Security incidents are triaged within 1 hour, with customer notification for data-affecting incidents within 24 hours of confirmation, per the incident response runbook. A post-incident report follows within 5 business days.
IR_Runbook_2026.pdf· §4high · trust 88/100

Now run it on a real RFP — yours

Upload one live RFP or questionnaire and a few source documents. If the cited drafts don't hold up against this demo, cancel before the trial ends and pay nothing.

Start 7-day free trial

Free 7-day trial — no charge until it endsOne-time credit packs from €39 for single RFPs

About this demo

The demo replays a pre-recorded sample workspace so you can see the experience instantly, without signup. In the product, answers are generated live against your own uploaded knowledge base — same citations, confidence scores, and review routing you see here.

That's the human-in-the-loop control. When the knowledge base has no current approved source for a question, RFP.ai doesn't guess — it flags the answer, withholds the draft, and routes it to the right reviewer. Approved answers then become reusable sources for next time.

Start a free 7-day trial (card required, not charged until it ends), upload one live RFP or questionnaire plus a few source documents, and compare the cited drafts against this demo. Setup takes minutes — there's no implementation project.