Security

1. Infrastructure and Network Security

1.1 Cloud Infrastructure

BidGenie is built on industry-leading cloud infrastructure with multiple layers of security:

• Vercel: Application hosting and global CDN with automatic DDoS protection, edge network security, and 99.99% uptime SLA
• Supabase: PostgreSQL database, authentication, and file storage with SOC 2 Type II, GDPR compliance, and HIPAA eligibility
• Network Security: All traffic routed through encrypted connections with automatic SSL/TLS certificates
• DDoS Protection: Built-in protection against distributed denial-of-service attacks
• Geographic Distribution: Data can be stored in multiple regions (US, EU) for compliance and performance

1.2 Access Controls

• Production Access: Restricted to authorized personnel only, protected by multi-factor authentication
• Network Segmentation: Production systems isolated from development and staging environments
• IP Whitelisting: Administrative access restricted to approved IP addresses where applicable
• VPN Requirements: Internal systems require VPN access for additional security

2. Data Protection and Encryption

2.1 Encryption in Transit

• TLS 1.2+: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• HTTPS Enforcement: All connections automatically redirect to HTTPS with HSTS (HTTP Strict Transport Security)
• Certificate Management: SSL/TLS certificates automatically renewed and managed by our infrastructure providers
• API Security: All API endpoints require authentication and use encrypted connections

2.2 Encryption at Rest

• Database Encryption: All data stored in Supabase PostgreSQL is encrypted at rest using AES-256 encryption
• File Storage: RFP documents and uploaded files encrypted at rest in Supabase Storage
• Backup Encryption: All database backups are encrypted before storage
• Key Management: Encryption keys managed by our infrastructure providers using industry-standard key management systems

2.3 Data Backups and Recovery

• Automated Backups: Daily automated backups of all production data
• Point-in-Time Recovery: Database supports point-in-time recovery for up to 7 days
• Backup Retention: Backups retained for 30 days for disaster recovery purposes
• Backup Testing: Regular testing of backup restoration procedures
• Geographic Redundancy: Backups stored in multiple geographic locations

3. Authentication and Access Control

3.1 Authentication Methods

BidGenie uses Supabase Auth for secure user authentication:

• Email/Password: Secure password-based authentication with bcrypt hashing
• OAuth Providers: Sign in with Google, GitHub, or LinkedIn for convenience and security
• Magic Links: Passwordless authentication via email for organization invitations
• JWT Tokens: Stateless session management with secure token-based authentication
• Token Expiration: Access tokens expire after 1 hour, refresh tokens after 7 days
• Automatic Refresh: Tokens automatically refreshed by Supabase client to maintain sessions

3.2 Row-Level Security (RLS)

All database tables have Row-Level Security enabled to enforce multi-tenant data isolation:

• Organization Scoping: Users can only access data belonging to organizations they are members of
• Automatic Enforcement: RLS policies enforced at the database level, preventing unauthorized access even if application code has bugs
• Role-Based Access: Different permissions for owners, admins, and members within organizations
• Zero Trust Model: Every database query is verified against RLS policies, regardless of application layer
• Comprehensive Coverage: RLS enabled on all tables including RFPs, answers, library entries, subscriptions, and audit logs

3.3 API Security

• Authentication Required: All API endpoints require valid authentication tokens
• Input Validation: All request data validated using Zod schemas to prevent injection attacks
• Organization Verification: Every API request verifies the user has access to the requested organization
• Rate Limiting: API endpoints protected by rate limiting to prevent abuse (see Section 4.3)
• Error Handling: Error messages designed to not leak sensitive information

4. Application Security

4.1 Security Headers (OWASP Top 10)

BidGenie implements comprehensive security headers to protect against common web vulnerabilities:

• Content Security Policy (CSP): Restricts resource loading to prevent XSS attacks
• X-Frame-Options: DENY: Prevents clickjacking attacks
• X-Content-Type-Options: nosniff: Prevents MIME-type sniffing
• X-XSS-Protection: Additional XSS protection for older browsers
• Strict-Transport-Security (HSTS): Forces HTTPS connections for 1 year including subdomains
• Referrer-Policy: Limits referrer information leakage
• Permissions-Policy: Disables dangerous browser APIs (geolocation, microphone, camera)
• Cross-Origin Policies: COOP, CORP, and COEP headers for additional isolation

4.2 Secure Development Practices

• Code Reviews: All code changes reviewed for security implications before deployment
• Dependency Scanning: Regular scanning of dependencies for known vulnerabilities
• Type Safety: Full TypeScript coverage with strict type checking to prevent runtime errors
• Input Sanitization: All user inputs sanitized and validated before processing
• SQL Injection Prevention: Parameterized queries and ORM usage prevent SQL injection
• Secure Defaults: Security features enabled by default, requiring explicit opt-out if needed

4.3 Rate Limiting

Rate limiting protects against abuse and ensures fair resource usage:

• AI Generation: 10 requests per hour per user
• Exports: 5 requests per hour per user
• Authentication: 10 requests per 15 minutes per IP address
• General API: 100 requests per 15 minutes per user
• Organization-Based: Additional rate limiting at the organization level

5. Payment Security and PCI Compliance

BidGenie uses Dodo Payments for all payment processing, ensuring PCI DSS compliance:

• No Card Storage: BidGenie never stores or processes credit card information directly
• PCI DSS Level 1: Dodo Payments maintains PCI DSS Level 1 certification (the highest level)
• Secure Checkout: Payment information collected through Dodo Payments' secure checkout pages
• Tokenization: Payment information tokenized and stored securely by Dodo Payments
• Webhook Security: All payment webhooks verified using cryptographic signatures
• Customer Portal: Secure customer portal for managing billing and payment methods

6. File Storage Security

RFP documents and uploaded files are stored securely in Supabase Storage:

• Private Buckets: All storage buckets configured as private (not publicly accessible)
• Organization Scoping: Files organized by organization ID with RLS policies enforcing access control
• Upload Policies: Users can only upload files to their organization's folder
• Download Policies: Users can only download files from organizations they belong to
• File Size Limits: Maximum file size limits enforced to prevent abuse
• Virus Scanning: Files scanned for malware before storage (where supported by infrastructure)

7. Audit Logging and Monitoring

7.1 Audit Logging

Comprehensive audit logging tracks all significant actions:

• User Actions: All user actions logged including RFP uploads, answer generation, and exports
• Administrative Actions: Organization management, member invitations, and billing changes logged
• Credit Usage: Detailed tracking of credit consumption for billing and analytics
• Access Attempts: Failed authentication attempts and unauthorized access attempts logged
• Data Changes: Significant data modifications tracked with before/after values where applicable
• Retention: Audit logs retained for compliance and troubleshooting purposes

7.2 Security Monitoring

• Error Tracking: Sentry integration for real-time error monitoring and alerting
• Performance Monitoring: OpenTelemetry and Vercel Analytics for performance and availability tracking
• Anomaly Detection: Monitoring for unusual patterns that may indicate security issues
• Alert System: Automated alerts for security events requiring immediate attention
• Log Aggregation: Centralized logging for security event analysis

8. Access Management and Personnel Security

8.1 Principle of Least Privilege

• Role-Based Access: Personnel granted only the minimum access necessary for their role
• Regular Reviews: Access permissions reviewed regularly and revoked when no longer needed
• Service Role Keys: Service role keys used only for trusted backend operations (webhooks, migrations)
• No Direct Database Access: Production database access restricted to essential personnel only

8.2 Administrative Controls

• Multi-Factor Authentication: All administrative accounts require MFA
• Strong Password Policies: Enforced password complexity and regular rotation requirements
• Session Management: Administrative sessions timeout after periods of inactivity
• Access Logging: All administrative access logged and monitored
• Background Checks: Personnel with production access subject to background verification

9. Incident Response and Business Continuity

9.1 Incident Response Plan

BidGenie maintains a documented incident response plan:

• Detection: Automated monitoring and alerting for security incidents
• Response Team: Designated security response team with defined roles and responsibilities
• Containment: Procedures for quickly containing security incidents to prevent further damage
• Investigation: Systematic investigation process to determine root cause and scope
• Notification: Affected customers and regulators notified within 72 hours where required by law
• Remediation: Steps to remediate vulnerabilities and prevent recurrence
• Post-Incident Review: Lessons learned and process improvements after each incident

9.2 Business Continuity

• High Availability: Infrastructure designed for 99.99% uptime with automatic failover
• Disaster Recovery: Regular testing of disaster recovery procedures
• Data Redundancy: Data replicated across multiple geographic locations
• Backup Verification: Regular verification that backups are working and can be restored

10. Compliance and Certifications

10.1 Service Provider Certifications

Our service providers maintain the following certifications, which benefit BidGenie through our use of their services:

10.2 BidGenie Compliance

BidGenie maintains compliance with the following regulations through our policies, procedures, and technical measures:

10.3 What This Means for You

• Service Provider Security: Your data is protected by infrastructure providers with industry-leading certifications
• BidGenie Practices: We implement security best practices and comply with GDPR and CCPA through our policies and technical measures
• No Independent Certification: BidGenie itself has not undergone independent security audits or certifications (such as SOC 2 or ISO 27001)
• Continuous Improvement: We regularly review and improve our security practices to maintain compliance and protect your data
• Transparency: We are transparent about our security measures and compliance status

10.4 Future Certifications

As BidGenie grows, we may pursue independent security certifications (such as SOC 2 Type II) to provide additional assurance to enterprise customers. Any such certifications will be announced and reflected in this Security overview.

11. Responsible Disclosure

We welcome reports from security researchers and users who identify potential vulnerabilities. If you believe you have discovered a security issue:

• Email us at security@bidgenie.com with sufficient detail to help us investigate
• Include steps to reproduce the issue, potential impact, and any suggested fixes
• We ask that you do not publicly disclose the issue until we have had a reasonable opportunity to address it (typically 90 days)
• We will acknowledge receipt within 48 hours and provide regular updates on our progress
• We appreciate responsible disclosure and may recognize researchers who help improve our security

12. Contact Us

If you have questions about BidGenie's security practices, please contact us: