Security & Trust
How we protect your data
BidSparq is built for businesses that sell to government, so security and privacy are foundational. This page describes the controls we have in place today, the third parties we rely on, and how to report a vulnerability. We describe only what is actually implemented — nothing aspirational is stated as fact.
Encryption
All traffic to BidSparq is served over HTTPS (TLS 1.2+), with HSTS enforced for one year including subdomains. Data at rest is encrypted by our infrastructure providers: our database provider (Neon) encrypts stored data, and file and document storage (Cloudflare R2) is encrypted at rest.
Infrastructure & subprocessors
The application runs on a hardened server behind Cloudflare. The origin accepts traffic only from Cloudflare, administrative access is restricted to SSH key authentication, and a web application firewall filters malicious and automated traffic. The third parties that process data on our behalf:
- HetznerApplication hosting (EU/US data centers)
- CloudflareCDN, WAF, DNS, TLS termination
- NeonManaged PostgreSQL database (encrypted at rest)
- Cloudflare R2File/document storage (encrypted at rest)
- PolarPayments and subscription billing
- Postmark / BrevoTransactional and notification email
- OpenAI, AnthropicAI enrichment, scoring, and chat (no training on your data)
Authentication & access
Passwords are hashed with bcrypt and never stored in plaintext. Sessions use signed, HttpOnly, Secure, SameSite cookies, and are invalidated on password change so a changed password ends other sessions. Programmatic and AI-assistant access (our MCP integration) uses OAuth 2.1 with PKCE and short-lived, rotating tokens; API keys are stored only as hashes. Team workspaces enforce role-based permissions, and every request is scoped to the acting member's workspace.
Application security
Database queries are parameterized to prevent SQL injection, and every tenant-scoped request is checked for ownership. Inbound payment and email webhooks are cryptographically signature-verified before processing. Responses carry a strict Content-Security-Policy, HSTS, X-Frame-Options, and related security headers, and sensitive endpoints are rate-limited. We run a first-party security review of the codebase and address findings on a prioritized basis.
Data retention & deletion
We retain your account and pursuit data for as long as your account is active. You can request export or deletion of your data at any time by emailing [email protected]; we action verified deletion requests and remove data from active systems, with backups aging out on their normal rotation. Team members removed from a workspace immediately lose access.
Compliance posture
BidSparq is an independent, early-stage company. We are not currently SOC 2 certified, and we will not claim certifications we do not hold. The controls described on this page cover the same areas a formal security program evaluates, and we are happy to answer specific security-questionnaire questions — reach out to [email protected].
Vulnerability disclosure policy
We welcome reports of security issues from the research community. If you believe you have found a vulnerability in BidSparq, please email [email protected] with details and steps to reproduce.
What we ask: give us a reasonable opportunity to investigate and fix an issue before disclosing it publicly; do not access, modify, or delete data that is not yours; and do not run denial-of-service tests, spam, or social-engineering attacks against our users or staff.
Safe harbor: if you make a good-faith effort to comply with this policy, we will not pursue or support legal action against you for your research, and we will work with you to understand and resolve the issue quickly.
Scope: bidsparq.com and its subdomains. Our machine-readable contact is published at /.well-known/security.txt.
Contact
Security questions or reports: [email protected]. For product help, see the FAQ.