Trust Center
AutoRFP.ai Trust Center
Security, legal and compliance questions, answered.


- ISO 27001:2022
- SOC 2 Type II
- GDPR & UK GDPR
- CCPA
- EU Cloud CoC
Information Security
AutoRFP.ai implements enterprise-grade security through ISO 27001:2022 & SOC 2 Type II certification and comprehensive controls including real-time monitoring, multi-factor authentication, and least-privilege access.
The platform's infrastructure leverages AWS's fully managed containerised services with network isolation, WAF protection, and automated TLS certificate management, while development practices incorporate vulnerability scanning, static code analysis, and regular third-party penetration testing.
- GDPR Compliant
- EU, US or AU Hosting Options
- ISO 27001:2022 Certified
- SOC 2 Type II
Compliance & certifications
CCPA, EU Cloud CoC, GDPR, ISO 27001:2022, SOC 2
ISO 27001:2022
Certified ISMS
SOC 2 Type II
Audited controls
GDPR & UK GDPR
Privacy compliant
CCPA
US privacy compliant
EU Cloud CoC
Cloud code of conduct
Documents & resources
Security, compliance, and legal documentation for your vendor review. Reports and certificates are shared on request under NDA where applicable.
Security & compliance
Information Security Overview
Overview
ISO 27001:2022 Certificate
Certificate
Penetration Test Attestation
Attestation
SOC 2 Type I Report
Report
SOC 2 Type II Report
Report
Need something specific? Email security@autorfp.ai and our team will respond in line with our documented response times.
ISO 27001:2022 & SOC 2 compliant
AutoRFP.ai is ISO 27001:2022 certified and leverages Drata for real-time monitoring.
App Security5 controls
- Code Review Process
- Employee Disclosure Process
- Responsible Disclosure (Bug Bounty)
- Software Development Lifecycle
- Web Application Firewall
Data Security5 controls
- Point-in-time-Restore Backups
- Encryption In-Transit and at Rest
- Comprehensive Logging/Monitoring
- SSL/TLS Enforced
- System Access Control Policy
Infrastructure Security16 controls
- Restricted Access & 2FA
- Automatic Patch Management
- Multiple Availability Zones
- Security Patches Automatically Applied
- AWS Secure Key Management
- Malware Detection Software
- Messaging Queues Monitored & Alarmed
- NoSQL Database Monitored & Alarmed
- Servers Monitored & Alarmed
- Network Security
- Denial of Public SSH
- Firewalls
- Logging/Monitoring
- MFA on Accounts
- Session Lock
- Hard-Disk Encryption
Organizational Security8 controls
- Unique Accounts Used
- Acceptable Use Policy
- Code of Conduct
- Formal Security Training
- Disaster Recovery Plan
- Incident Response Plan
- Incident Response Team
- Product Security
Hosting options in US, EU & AU
We offer hosting in either the US, EU (Germany) or Australia, depending on your preferences and needs.
United States — US West (Oregon)
Europe — EU Central (Frankfurt)
Asia Pacific — Australia East (Sydney)
Data processing
Data processing & transfer
We have collated and completed a transfer impact assessment across where data entered into AutoRFP.ai may reside, and the appropriate risks associated.
For details as to our transfer impact assessment please email dpo@autorfp.ai or view our data transfer assessment below.
View Data Transfer Impact AssessmentIndustry-standard sub-processors
AutoRFP.ai enforces strict supplier policies that ensure compliance with GDPR, GDPR UK, CCPA and more.
Security & legal due diligence simplified
Privacy & Security Compliance
CCPA, EU Cloud CoC, GDPR, ISO 27001:2022, SOC 2
- Zero External AI Training
- Third-Party Indemnification
- EU Transfer Amendments
- 48hr Breach Notification
AI Privacy & Confidentiality
We ensure that none of the data provided by our customers is used to train public machine-learning models. All data is only used at runtime and is not retained by the model once complete.
- Azure, Google & AWS Models Only
- Zero Shared Model Training
- Regional AI Hosting
Internal Policies
Our internal policies are available to customers and prospects on request. Request the policy pack to access the documents below.
- Acceptable Use Policy
- Asset Management Policy
- Backup Policy
- Business Continuity Plan
- Change Management Policy
- Modern Slavery Policy
- Password Policy
- Responsible Disclosure Policy
- Code of Conduct
- Data Classification Policy
- Data Protection Policy
- Data Retention Policy
- Disaster Recovery Plan
- Risk Assessment Policy
- SDLC Policy
- System Access Control Policy
- Encryption Policy
- Incident Response Plan
- ISMS Plan
- Information Security Policy
- Logging and Monitoring Policy
- Utility Program Access Control Policy
- Vendor Management Policy
- Vulnerability Management Policy
Other Questions
How does AutoRFP.ai protect my sensitive RFP data?
AutoRFP.ai employs enterprise-grade security measures to protect your sensitive RFP data, including AES-256 encryption both in transit and at rest. We utilize a secure, logically separated environment for each customer with strict access controls based on role-based permissions. Our infrastructure undergoes regular security assessments and penetration testing, with critical vulnerabilities addressed within 24 hours according to our documented vulnerability management procedures. We maintain strict data boundaries between clients and implement comprehensive security controls as part of our ISO 27001:2022 certified information security management system.
Who has access to our RFP content within the AutoRFP.ai system?
Access to your RFP content is strictly limited to authorized users within your organization based on the roles and permissions you configure. AutoRFP.ai employees do not have direct administrative access to production data during normal business operations, as stated in our Data Protection Policy. All access attempts are logged and monitored in accordance with our Logging and Monitoring Policy, with user access rights reviewed annually to ensure appropriate access levels are maintained.
Is my data used to train AutoRFP.ai's AI models?
No. AutoRFP.ai implements logical separation of customer data at the database/datastore level using unique customer identifiers. Our data protection controls ensure that your proprietary RFP responses and content remain isolated from other customers. As explicitly stated in our Terms and Conditions, AutoRFP.ai “will not use Your Data for training of artificial intelligence models.” While we may generate aggregated and de-identified data for improving our services, your specific content is never used to train our AI systems.
What certifications and compliance standards does AutoRFP.ai maintain?
AutoRFP.ai is certified under ISO 27001:2022, the international standard for information security management systems. Our comprehensive security program implements controls across all aspects of our organization, from risk assessment to incident response. We have designed our data handling practices with privacy regulations in mind and can provide customers with documentation to support their compliance needs. For customers in regulated industries, we can discuss specific compliance requirements and our ability to meet them.
How is data segregated between different customers on the AutoRFP.ai platform?
AutoRFP.ai implements strict multi-tenant isolation through logical data segregation. As documented in our Data Protection Policy, “Customer data is logically separated at the database/datastore level using a unique identifier for the customer.” Our application enforces this separation through our API layer, where the customer identifier is included in the access token and used to restrict data access to the appropriate account. All database queries include the account identifier to maintain this separation, ensuring your competitive information remains confidential.
What is AutoRFP.ai's data retention and deletion policy?
In accordance with our Data Retention Policy, customer data is retained for as long as the account is active. When an account is voluntarily closed, expired data is retained for 2555 days (7 years), unless the customer explicitly requests deletion. If an account is involuntarily suspended, there is a 90-day grace period during which the account remains inaccessible but can be reopened if payment obligations are met. After 120 days, suspended accounts are closed and enter the expired state, with data being retained for the 7-year period thereafter (except when legally required to retain longer).
What security measures are in place for AutoRFP.ai's AI capabilities?
AutoRFP.ai's systems, including any AI functionality, operate within our ISO 27001:2022 certified security framework. All systems are subject to our comprehensive security controls, including access management, encryption, monitoring, and vulnerability management. Our secure software development lifecycle ensures that all features, including AI capabilities, undergo appropriate security review before deployment.
How does AutoRFP.ai ensure business continuity and disaster recovery?
AutoRFP.ai maintains a robust business continuity and disaster recovery program as documented in our Business Continuity Plan and Disaster Recovery Plan. Our systems are designed with redundancy in mind, with a Recovery Point Objective (RPO) of 60 seconds and a Recovery Time Objective (RTO) of 6 hours for critical services. In accordance with our policies, we conduct disaster recovery testing at least annually to verify our ability to restore services effectively, ensuring minimal disruption to your business operations in the event of a significant incident.
What is AutoRFP.ai's process for security vulnerability management?
AutoRFP.ai employs a comprehensive vulnerability management program as outlined in our Vulnerability Management Policy. This includes automated vulnerability scanning tools and regular penetration testing. Vulnerabilities are prioritized based on severity, with critical issues addressed within 24 hours, high-severity issues within 7 days, and medium-severity issues within 1 month. We maintain a responsible disclosure program through our dedicated security@autorfp.ai email address, and our Security Officer is responsible for analyzing and reporting security findings.
Does AutoRFP.ai provide an audit trail of user actions within the system?
Yes, AutoRFP.ai maintains comprehensive audit logs for system activities in accordance with our Logging and Monitoring Policy. These logs capture user authentication events, access attempts, data modifications, and administrative actions. Our logging system records details such as the type of action performed, when it occurred, who performed it, and whether it was successful. We retain them for a period sufficient to support security investigations and compliance requirements.
Who do I contact about data protection and privacy at AutoRFP.ai?
Louis Lloyd-Besson, our Chief Technology Officer, serves as the Information Security Officer responsible for privacy and data protection at AutoRFP.ai. For any privacy enquiries, data subject access requests, deletion requests, or questions about how we handle your data, contact security@autorfp.ai and our team will respond in line with our documented response times.
Looking for our agreements & policies?
The Legal Center holds the full Master Services Agreement, Privacy Policy, Data Processing Agreement, Service Level Agreement and Security Exhibit — the contractual backbone behind everything on this page.
Product Demo
See it in Action
Find 30 minutes to learn more about AutoRFP.ai and what the ROI might be for you.