AutoRFP.ai Security Overview
Learn more about AutoRFP.ai's security posture with our Security Overview Document. We provide insights on how we keep Customer Data safe, secure and private without any training of AI models on customer data.
- ISO 27001:2022
- SOC 2 Type II
- GDPR Compliant
- AES-256 at Rest
- TLS 1.2+ in Transit
- MFA + SSO Enforced

AES-256
Encryption at rest
24/7
Logging & monitoring
Annual
Third-party pen tests
Quarterly
Access reviews
Information Security Program
A documented program, reviewed continuously
AutoRFP maintains a comprehensive written information security program (ISP) designed to protect the confidentiality, integrity, and availability of Customer Data. The ISP is based on industry-standard frameworks (including ISO 27001:2022 and SOC 2) and is reviewed and updated at least annually or in response to significant changes in the threat landscape.
Governance
A dedicated security team responsible for the development, implementation, and management of the ISP.
Risk Management
A formal risk assessment process to identify, analyze, and mitigate information security risks to AutoRFP and its customers.
Policy Framework
Documented policies and procedures communicated to all personnel — Acceptable Use, Access Control, Data Classification and Handling, Encryption, Incident Response, Secure Development, Physical Security, and Third-Party Risk Management.
Security Controls
Controls across every layer
Defense-in-depth measures span people, access, data, applications, and infrastructure.
Personnel Security
- Background verification checks for all new employees, in accordance with local laws.
- All personnel sign confidentiality agreements as a condition of employment.
- Mandatory security awareness training upon hiring and annually thereafter.
Access Control
- Least-privilege and role-based access control (RBAC) for systems processing Customer Data.
- MFA required for all production access, enforced via SSO (Google and Microsoft supported).
- Access rights reviewed at least quarterly and revoked promptly on termination or role change.
- Automatic session timeouts for unattended devices.
Data Encryption
- Data in transit encrypted using TLS 1.2 or higher over public networks.
- Data at rest encrypted with industry-standard algorithms (e.g. AES-256).
- Workstation and laptop hard drives are encrypted.
Application Security
- Formal secure SDLC with secure design reviews, threat modeling, and secure coding.
- Logical data separation at the application and database level enforces clear tenant boundaries.
- Regular vulnerability scanning; findings tracked, prioritized, and remediated by severity.
- Independent third-party penetration tests at least annually (attestation available under NDA).
Network & Infrastructure
- Hosted on leading cloud providers (AWS, Google Cloud) with SOC 2 / ISO 27001 / ISO 27017 controls.
- Production logically isolated from non-production; firewalls, WAF, IDS, and DDoS mitigation deployed.
- Endpoints managed via MDM with anti-virus, EDR, firewalls, and automatic locking.
- Robust real-time logging and monitoring with integrity-protected log storage.
Security Operations
Always-on assurance
Beyond preventative controls, AutoRFP runs the programs that keep the Platform resilient and accountable.
Incident Management
A formal Security Incident Response Plan defines how we detect, respond to, and recover from incidents. Affected Customers are notified per the Data Processing Addendum.
Third-Party Risk
A risk-based program assesses vendors and sub-processors through initial due diligence and ongoing monitoring. The current sub-processor list is published in the Trust Center.
Business Continuity & DR
A Business Continuity and Disaster Recovery Plan with regular backups, failover testing, and geographically redundant infrastructure keeps the Platform available.
Audits & Certifications
Industry-standard certifications and attestations (e.g. ISO 27001:2022) demonstrate control effectiveness. Reports are available via the Trust Center or on request under NDA.
Shared responsibility
Customer is responsible for:
- Securely managing user accounts, credentials, and access rights within the Platform.
- The accuracy and legality of all Customer Data.
- Configuring the Platform's security features as appropriate for its use case.
Updates to these measures
AutoRFP may update these Security Measures from time to time, provided that such updates do not result in a material degradation of the overall security of the Platform.
Request received.
We've emailed you the document. Our team may follow up if additional verification is required.
Need the full contractual Security Exhibit? View on Legal
Product Demo
See it in Action
Find 30 minutes to learn more about AutoRFP.ai and what the ROI might be for you.