Enterprise-grade security, built in

This Security Exhibit describes the technical and organizational security measures AutoRFP.ai implements to protect Customer Data processed in connection with the AutoRFP Platform. It is incorporated into the Main Agreement between AutoRFP and Customer.

  • ISO 27001:2022
  • SOC 2 Type II
  • GDPR Compliant
  • AES-256 at Rest
  • TLS 1.2+ in Transit
  • MFA + SSO Enforced
ISO 27001:2022 certifiedAICPA SOC 2 compliant

AES-256

Encryption at rest

24/7

Logging & monitoring

Annual

Third-party pen tests

Quarterly

Access reviews

Information Security Program

A documented program, reviewed continuously

AutoRFP maintains a comprehensive written information security program (ISP) designed to protect the confidentiality, integrity, and availability of Customer Data. The ISP is based on industry-standard frameworks (including ISO 27001:2022 and SOC 2) and is reviewed and updated at least annually or in response to significant changes in the threat landscape.

Governance

A dedicated security team responsible for the development, implementation, and management of the ISP.

Risk Management

A formal risk assessment process to identify, analyze, and mitigate information security risks to AutoRFP and its customers.

Policy Framework

Documented policies and procedures communicated to all personnel — Acceptable Use, Access Control, Data Classification and Handling, Encryption, Incident Response, Secure Development, Physical Security, and Third-Party Risk Management.

Security Controls

Controls across every layer

Defense-in-depth measures span people, access, data, applications, and infrastructure.

Personnel Security

  • Background verification checks for all new employees, in accordance with local laws.
  • All personnel sign confidentiality agreements as a condition of employment.
  • Mandatory security awareness training upon hiring and annually thereafter.

Access Control

  • Least-privilege and role-based access control (RBAC) for systems processing Customer Data.
  • MFA required for all production access, enforced via SSO (Google and Microsoft supported).
  • Access rights reviewed at least quarterly and revoked promptly on termination or role change.
  • Automatic session timeouts for unattended devices.

Data Encryption

  • Data in transit encrypted using TLS 1.2 or higher over public networks.
  • Data at rest encrypted with industry-standard algorithms (e.g. AES-256).
  • Workstation and laptop hard drives are encrypted.

Application Security

  • Formal secure SDLC with secure design reviews, threat modeling, and secure coding.
  • Logical data separation at the application and database level enforces clear tenant boundaries.
  • Regular vulnerability scanning; findings tracked, prioritized, and remediated by severity.
  • Independent third-party penetration tests at least annually (attestation available under NDA).

Network & Infrastructure

  • Hosted on leading cloud providers (AWS, Google Cloud) with SOC 2 / ISO 27001 / ISO 27017 controls.
  • Production logically isolated from non-production; firewalls, WAF, IDS, and DDoS mitigation deployed.
  • Endpoints managed via MDM with anti-virus, EDR, firewalls, and automatic locking.
  • Robust real-time logging and monitoring with integrity-protected log storage.

Security Operations

Always-on assurance

Beyond preventative controls, AutoRFP runs the programs that keep the Platform resilient and accountable.

Incident Management

A formal Security Incident Response Plan defines how we detect, respond to, and recover from incidents. Affected Customers are notified per the Data Processing Addendum.

Third-Party Risk

A risk-based program assesses vendors and sub-processors through initial due diligence and ongoing monitoring. The current sub-processor list is published in the Trust Center.

Business Continuity & DR

A Business Continuity and Disaster Recovery Plan with regular backups, failover testing, and geographically redundant infrastructure keeps the Platform available.

Audits & Certifications

Industry-standard certifications and attestations (e.g. ISO 27001:2022) demonstrate control effectiveness. Reports are available via the Trust Center or on request under NDA.

Shared responsibility

Customer is responsible for:

  • Securely managing user accounts, credentials, and access rights within the Platform.
  • The accuracy and legality of all Customer Data.
  • Configuring the Platform's security features as appropriate for its use case.

Updates to these measures

AutoRFP may update these Security Measures from time to time, provided that such updates do not result in a material degradation of the overall security of the Platform.

AutoRFP.ai Security Exhibit

This Security Exhibit (“Exhibit”) describes the technical and organizational security measures implemented by AutoRFP.ai Pty Ltd (“AutoRFP”) to protect Customer Data Processed in connection with the AutoRFP Platform.

This Exhibit is incorporated into the Main Agreement by and between AutoRFP and Customer. Capitalized terms not defined herein shall have the meaning set forth in the Main Agreement or the Data Processing Addendum.

1.0 Information Security Program

AutoRFP maintains a comprehensive written information security program (“ISP”) designed to protect the confidentiality, integrity, and availability of Customer Data. The ISP is based on industry-standard frameworks (including ISO 27001:2022 and SOC 2) and is reviewed and updated at least annually or in response to significant changes in the threat landscape. The program includes:

  • Governance: A dedicated security team responsible for the development, implementation, and management of the ISP.
  • Risk Management: A formal risk assessment process to identify, analyze, and mitigate information security risks to AutoRFP and its customers.
  • Policy Framework: A set of documented information security policies and procedures that are communicated to all personnel. Key policies include, but are not limited to: Acceptable Use, Access Control, Data Classification and Handling, Encryption, Incident Response, Secure Development, Physical Security, and Third-Party Risk Management.

2.0 Security Controls

2.1 Personnel Security

  • Background Checks: Background verification checks are conducted for all new employees in accordance with local laws.
  • Confidentiality: All personnel are required to sign confidentiality agreements as a condition of their employment.
  • Security Training: Personnel undergo mandatory security awareness training upon hiring and on an annual basis thereafter.

2.2 Access Control

  • Least Privilege & RBAC: Access to systems that Process Customer Data is granted based on the principle of least privilege and role-based access control (RBAC). AutoRFP granularly controls access to application resources, meaning all URLs and API endpoints are limited to only those users who require such access.
  • Authentication: Multi-Factor Authentication (MFA) is required for all access to production systems, critical infrastructure, and internal applications, enforced via Single Sign-On (SSO). AutoRFP supports SSO integration with Google and Microsoft.
  • Access Reviews: User access rights to production environments are reviewed on a regular basis (at least quarterly) and revoked promptly upon termination of employment or change in role.
  • Session Management: Automatic session timeouts are implemented to reduce the risk of unauthorized access from unattended devices.

2.3 Data Encryption

  • Encryption in Transit: All Customer Data transmitted over public networks (e.g., between the customer and the Platform) is encrypted using Transport Layer Security (TLS) version 1.2 or higher.
  • Encryption at Rest: All Customer Data stored within the Platform’s production environment is encrypted at rest using industry-standard encryption algorithms (e.g., AES-256). Workstation and laptop hard drives are also encrypted.

2.4 Application Security

  • Secure Software Development Lifecycle (SDLC): AutoRFP follows a formal SDLC process that integrates security at every stage, including secure design reviews, threat modeling, and secure coding practices.
  • Data Separation: Measures are implemented to ensure data collected for different purposes can be processed separately. This includes logical separation at the application and database level (e.g., separate API endpoints and database schemas for different services) to enforce clear boundaries in data processing.
  • Vulnerability Management: AutoRFP performs regular vulnerability scanning of its application and infrastructure. Identified vulnerabilities are tracked, prioritized, and remediated based on severity within defined service level agreements.
  • Penetration Testing: AutoRFP engages independent third-party security firms to conduct penetration tests of the Platform at least annually. Attestation to these reports can be made available to customers upon request and under a non-disclosure agreement.

2.5 Network and Infrastructure Security

  • Cloud Infrastructure: The Platform is hosted on leading cloud infrastructure providers (e.g., Amazon Web Services, Google Cloud Platform) that maintain state-of-the-art physical and environmental security controls and certifications (e.g., SOC 2, ISO 27001, ISO 27017).
  • Network Protection: Production environments are logically isolated from non-production environments. AutoRFP deploys protective technologies including firewalls, web application firewalls (WAF), intrusion detection systems (IDS), and DDoS mitigation services.
  • Endpoint Security: Company devices are managed via Mobile Device Management (MDM) software, configured with anti-virus software, firewalls, endpoint detection and response (EDR), and automatic desktop locking.
  • Logging and Monitoring: AutoRFP maintains a robust logging system that records key events across its infrastructure, including user access, system changes, and network activity. Logs are monitored in real-time to detect and respond to potential threats. The integrity of log data is protected through secure storage and access controls.

3.0 Security Incident Management

AutoRFP maintains a formal Security Incident Response Plan that defines the procedures for detecting, responding to, and recovering from Security Incidents. In the event of a Security Incident affecting Customer Data, AutoRFP will notify affected Customers in accordance with the terms of the Data Processing Addendum.

4.0 Third-Party Risk Management

AutoRFP maintains a risk-based program to assess the security posture of its third-party vendors and Sub-processors. This process includes initial security due diligence and ongoing monitoring to ensure that vendors continue to meet AutoRFP’s security requirements. A current list of Sub-processors is maintained at autorfp.ai/trust/subprocessors.

5.0 Business Continuity and Disaster Recovery

AutoRFP maintains a Business Continuity and Disaster Recovery Plan designed to ensure the availability of the Platform in the event of a significant disruption. This includes regular data backups, failover testing, and geographically redundant infrastructure.

6.0 Audits and Certifications

AutoRFP maintains industry-standard security certifications and attestations to demonstrate the effectiveness of its security controls. Information about our compliance program, including access to audit reports (e.g. ISO 27001), is available through the AutoRFP Trust Center or can be provided to customers upon request under a non-disclosure agreement.

7.0 Customer Responsibilities

Customer is responsible for: (a) securely managing user accounts, credentials, and access rights within the Platform; (b) the accuracy and legality of all Customer Data; and (c) configuring the Platform’s security features as appropriate for its use case.

8.0 Updates to Security Measures

AutoRFP may update or modify these Security Measures from time to time, provided that such updates or modifications do not result in a material degradation of the overall security of the Platform.

For security questions, please contact security@autorfp.ai.

Product Demo

See it in Action

Find 30 minutes to learn more about AutoRFP.ai and what the ROI might be for you.