AutoRFP.ai Security Overview

Learn more about AutoRFP.ai's security posture with our Security Overview Document. We provide insights on how we keep Customer Data safe, secure and private without any training of AI models on customer data.

  • ISO 27001:2022
  • SOC 2 Type II
  • GDPR Compliant
  • AES-256 at Rest
  • TLS 1.2+ in Transit
  • MFA + SSO Enforced
ISO 27001:2022 certifiedAICPA SOC 2 compliant

AES-256

Encryption at rest

24/7

Logging & monitoring

Annual

Third-party pen tests

Quarterly

Access reviews

Information Security Program

A documented program, reviewed continuously

AutoRFP maintains a comprehensive written information security program (ISP) designed to protect the confidentiality, integrity, and availability of Customer Data. The ISP is based on industry-standard frameworks (including ISO 27001:2022 and SOC 2) and is reviewed and updated at least annually or in response to significant changes in the threat landscape.

Governance

A dedicated security team responsible for the development, implementation, and management of the ISP.

Risk Management

A formal risk assessment process to identify, analyze, and mitigate information security risks to AutoRFP and its customers.

Policy Framework

Documented policies and procedures communicated to all personnel — Acceptable Use, Access Control, Data Classification and Handling, Encryption, Incident Response, Secure Development, Physical Security, and Third-Party Risk Management.

Security Controls

Controls across every layer

Defense-in-depth measures span people, access, data, applications, and infrastructure.

Personnel Security

  • Background verification checks for all new employees, in accordance with local laws.
  • All personnel sign confidentiality agreements as a condition of employment.
  • Mandatory security awareness training upon hiring and annually thereafter.

Access Control

  • Least-privilege and role-based access control (RBAC) for systems processing Customer Data.
  • MFA required for all production access, enforced via SSO (Google and Microsoft supported).
  • Access rights reviewed at least quarterly and revoked promptly on termination or role change.
  • Automatic session timeouts for unattended devices.

Data Encryption

  • Data in transit encrypted using TLS 1.2 or higher over public networks.
  • Data at rest encrypted with industry-standard algorithms (e.g. AES-256).
  • Workstation and laptop hard drives are encrypted.

Application Security

  • Formal secure SDLC with secure design reviews, threat modeling, and secure coding.
  • Logical data separation at the application and database level enforces clear tenant boundaries.
  • Regular vulnerability scanning; findings tracked, prioritized, and remediated by severity.
  • Independent third-party penetration tests at least annually (attestation available under NDA).

Network & Infrastructure

  • Hosted on leading cloud providers (AWS, Google Cloud) with SOC 2 / ISO 27001 / ISO 27017 controls.
  • Production logically isolated from non-production; firewalls, WAF, IDS, and DDoS mitigation deployed.
  • Endpoints managed via MDM with anti-virus, EDR, firewalls, and automatic locking.
  • Robust real-time logging and monitoring with integrity-protected log storage.

Security Operations

Always-on assurance

Beyond preventative controls, AutoRFP runs the programs that keep the Platform resilient and accountable.

Incident Management

A formal Security Incident Response Plan defines how we detect, respond to, and recover from incidents. Affected Customers are notified per the Data Processing Addendum.

Third-Party Risk

A risk-based program assesses vendors and sub-processors through initial due diligence and ongoing monitoring. The current sub-processor list is published in the Trust Center.

Business Continuity & DR

A Business Continuity and Disaster Recovery Plan with regular backups, failover testing, and geographically redundant infrastructure keeps the Platform available.

Audits & Certifications

Industry-standard certifications and attestations (e.g. ISO 27001:2022) demonstrate control effectiveness. Reports are available via the Trust Center or on request under NDA.

Shared responsibility

Customer is responsible for:

  • Securely managing user accounts, credentials, and access rights within the Platform.
  • The accuracy and legality of all Customer Data.
  • Configuring the Platform's security features as appropriate for its use case.

Updates to these measures

AutoRFP may update these Security Measures from time to time, provided that such updates do not result in a material degradation of the overall security of the Platform.

Request overview

Enter your email and our team will share this document for your vendor review.

We'll never share your email. Unsubscribe anytime. See our privacy policy.

Need the full contractual Security Exhibit? View on Legal

Product Demo

See it in Action

Find 30 minutes to learn more about AutoRFP.ai and what the ROI might be for you.