Security & Compliance

RFPfront is built for organizations that handle procurement workflows, vendor evaluations, proposal libraries, marketplace listings, and compliance-sensitive business documents. We use industry-standard safeguards — including encrypted transport, access controls, secure cloud infrastructure, and managed secret storage — to protect your information. No method of transmission or storage is 100% secure.

RFPfront runs on secure cloud infrastructure and applies layered technical controls, including:

• HTTPS/TLS encryption for data in transit
• Encryption at rest through managed cloud database and storage services
• Production credentials and API keys stored in managed secret storage, not in source code
• Server-side application logic with authenticated access to account and workflow data
• Operational logging and monitoring to support security review and incident response

For more detail on what we collect and how we use it, see our Privacy Policy.

RFPfront limits access through identity and authorization controls, including:

• Account authentication with protected application routes
• Role-based access for vendors, buyers, and administrative workflows
• Server-side authorization checks before proposal, marketplace, onboarding, and support actions
• Verification flows for key authentication paths
• Rate limiting on public and authenticated endpoints to reduce abuse

You are responsible for keeping your login credentials secure and for all activity under your account.

Proposal drafts, capability statements, certifications, pricing materials, uploaded RFP documents, and other content you submit may contain sensitive business information. RFPfront processes this content only as needed to provide the Platform and applies access controls so users can reach content they are authorized to use.

You represent that you have the right to upload, process, and share any content you submit, including documents that may contain confidential procurement materials, personal information, or third-party content.

Matching scores, GO/REVIEW/NO-GO recommendations, AI Readiness Advisor output, and AI-drafted proposals or grant applications are generated using artificial intelligence and are provided for informational and drafting assistance only. RFPfront does not guarantee contract award, grant award, eligibility determination, or regulatory compliance. You are solely responsible for independently reviewing, verifying, and editing any AI-generated content before relying on it or submitting it to any government entity.

RFPfront relies on third-party service providers to operate the Platform, including Anthropic (Claude API, for AI-assisted matching and drafting), Google Cloud (Vertex AI, Document AI, Cloud SQL, Cloud Storage, Secret Manager), Resend (email delivery), and Stripe (payment processing). RFPfront is not responsible for outages or issues originating from these third-party providers.

The Platform also incorporates public procurement data from sources including SAM.gov, Grants.gov, and USASpending.gov. That data is provided "as is"; RFPfront does not guarantee its accuracy, completeness, or timeliness.

RFPfront supports workflows that may involve regulated-sector requirements such as HIPAA, SOC 2, CMMC, FERPA, accessibility, cybersecurity, and public-sector procurement controls. The Platform helps organize and evaluate compliance information, but it does not certify your organization, replace legal review, or guarantee procurement eligibility.

RFPfront may support SOC 2 or similar readiness activities, but we do not claim a certification unless a formal audit has been completed and made current.

Vendor marketplace listings, certification claims (including WBE, MBE, Dual, Federal, or Local status), and related profile information are submitted by vendors. RFPfront does not independently verify certification claims and disclaims responsibility for their accuracy. Submitting false certification information may result in account termination.

We may update this Security & Compliance page from time to time. We will post the updated version with a new "Last Updated" date.

Questions about security, compliance, or this page can be sent to privacy@vitatechgroup.com. To report a suspected security issue, include enough detail for us to investigate.