Security & Compliance

Learn about our security practices, privacy commitments, and the documentation we provide during procurement reviews.

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256) to protect your sensitive RFP information.

Access Control

Role-based access control (RBAC) ensures only authorized users can access your organization's data.

Security Reviews

We review security controls, address vulnerabilities, and improve the platform as the product and threat landscape evolve.

Monitoring & Alerting

We use logging, monitoring, and alerting to detect reliability and security issues and respond appropriately.

Infrastructure Security

Cloudflare Global Edge Network

RFP.ai is built on Cloudflare's secure global edge network, providing DDoS protection, WAF (Web Application Firewall), and automatic SSL/TLS encryption for all connections.

Primary EU Hosting

  • Core application storage is primarily hosted in the EU
  • Cloudflare D1 database uses Western Europe configuration and R2 is configured for EU-focused storage
  • Some service providers may process limited categories of data outside the EEA with appropriate safeguards
  • Backups and retention follow the terms in our privacy and legal documentation
  • 30-day retention period after account cancellation for data export

Data Protection & Privacy

Privacy Program: We maintain privacy policies, a DPA, and workflows designed to support GDPR and related data protection obligations.

Zero AI Training: Your documents, RFP responses, and data are NEVER used to train AI models. All AI processing is performed on-demand via isolated API calls.

Data Isolation: Each organization's data is logically isolated. We design and test tenant-boundary controls to prevent cross-organization access to your RFP responses and knowledge base.

Right to Deletion: You can delete your data at any time. Upon request, we will permanently delete all your information within 30 days.

Compliance & Certifications

Current Security & Privacy Posture

  • GDPR: Privacy program and documentation aligned to GDPR obligations
  • International transfers: Standard Contractual Clauses (SCCs) and related safeguards where applicable
  • Infrastructure certifications: We rely in part on certified providers such as Cloudflare and Stripe. RFP.ai is not currently independently certified.

We continually review additional frameworks and will update this page when we formally pursue new attestations.

Third-Party Security

We carefully vet all third-party service providers to ensure they meet our security standards:

  • Cloudflare: Infrastructure, hosting, and security services (ISO 27001 certified)
  • Mistral AI: AI processing under contractual restrictions designed to prohibit model training and limit retention
  • Stripe: PCI-DSS compliant payment processing (we never store card numbers)

Incident Response

We maintain incident response procedures to detect, investigate, and address security incidents:

  • Logging, monitoring, and escalation workflows
  • Incident prioritization and internal response procedures
  • Customer notification where required by law or contract
  • Post-incident review and remediation planning
  • Continuous improvement based on lessons learned

Security Best Practices for Users

You can help protect your account by following these best practices:

  • Use a strong, unique password (at least 12 characters)
  • Enable two-factor authentication (2FA) when available
  • Review user access regularly and remove inactive users
  • Don't share login credentials with anyone
  • Report suspicious activity immediately
  • Keep your browser and operating system up to date

Security Documentation

Need more detailed security information for your procurement process? We provide:

  • Security white papers
  • Data Processing Agreements (DPA)
  • Standard Contractual Clauses (SCC)
  • Sub-processor and privacy documentation
  • Additional security materials when available and appropriate

Contact our security team at [email protected] to request these documents.

Vulnerability Disclosure

We appreciate the security research community's efforts to help keep RFP.ai secure. If you discover a security vulnerability, please report it responsibly:

How to Report Security Issues

  • Email: [email protected]
  • Include a detailed description of the vulnerability
  • Provide steps to reproduce the issue
  • Allow us reasonable time to fix the issue before public disclosure
  • Do not exploit the vulnerability or access user data

We aim to acknowledge reports promptly and keep reporters updated as appropriate.

Contact Security Team

For security-related questions, concerns, or to report an incident:

Security Team

Dutchcode B.V. - RFP.ai

Email: [email protected]

For general privacy inquiries: [email protected]

For urgent security incidents, please email [email protected] with "URGENT" in the subject line.

Security is a Journey, Not a Destination

We continuously improve our security posture through reviews, updates, and by staying current with the latest security best practices. Your trust is our most valuable asset.

Last reviewed: March 30, 2026