Security Policy

We take protecting customer data seriously. This document describes the technical and organizational measures we use to safeguard the GovConHelp Service (the “Service”). It supplements our Privacy Policy and Terms of Service.

Security is a process, not a destination. If you find a vulnerability or have a question about our practices, contact [email protected]. Our target response times are:

• Vulnerability reports — initial acknowledgement within 2 business days; remediation timeline communicated within 5 business days of acknowledgement.
• General security questions — initial response within 5 business days.

1. Scope

This Policy applies to the production GovConHelp web application, its supporting infrastructure, the data we process on behalf of customers, and our staff handling of that data. It does not apply to customer-side controls (how you secure your own workstations, the strength of passwords you choose, etc.) or to third-party services we integrate with (see §12 Subprocessors).

2. Infrastructure & hosting

CURRENT The Service runs in a containerized deployment on Digital Ocean, hosted in United States. Customer data is stored in a PostgreSQL database with daily snapshots retained for 30 days. Uploaded files (logos, RFP PDFs, generated DOCX exports) are stored in a dedicated volume served through an authenticated Django view; the volume is not directly internet-reachable.

CURRENT All HTTPS traffic terminates at a reverse proxy (Caddy) which automatically provisions and renews TLS certificates via Let's Encrypt. HTTP traffic is redirected to HTTPS.

CURRENT Administrative interfaces (Django admin, ops dashboards) are gated by a source-IP allowlist enforced at both the proxy layer and the Django middleware layer. Anything outside the allowlist receives a 404 (intentionally — to prevent path-fingerprinting).

3. Encryption

3.1 In transit

CURRENT All traffic between your browser and the Service uses TLS 1.2 or higher. We do not accept unencrypted HTTP connections to authenticated routes.

3.2 At rest — database

CURRENT Sensitive credentials and integration secrets stored in the database (API keys for Anthropic, OpenAI, Stripe, SAM.gov, etc., webhook signing secrets, status-dashboard tokens) and the long-form customer-content columns (extracted RFP text, proposal section drafts, cost narratives, company tax IDs) are encrypted at the application layer using AES-256-GCM (authenticated encryption: 256-bit key, 96-bit per-write nonce, 128-bit authentication tag). The encryption key is stored as an environment secret separate from the database backups. Rows previously written under our Fernet scheme (AES-128-CBC + HMAC-SHA256) are read transparently and migrated to AES-256-GCM on the next maintenance pass; the legacy key is retired once every row has been re-encrypted.

CURRENT User passwords are stored as Django-format password hashes (PBKDF2-SHA256, default 600,000 iterations). We never store plaintext passwords. Password reset tokens are short-lived and single-use.

3.3 At rest — files

CURRENT Uploaded files are stored on encrypted block storage provided by our hosting vendor. Access requires authentication; the protected-media view enforces a per-request ownership check before bytes are streamed.

4. Access controls

4.1 Workspace isolation

CURRENT Every customer-facing view that returns or mutates data filters the query by the requesting user's workspace owner. Cross-tenant access via direct URL probing returns a 404. This isolation is enforced in code at every view function, audited as part of our security-review process.

4.2 Customer URLs

CURRENT Customer-facing URLs for Company and Proposal records use opaque 12-character identifiers ("public IDs") rather than sequential integers. This is information-disclosure defense — an outsider cannot probe /companies/<i>/ to estimate customer counts or growth velocity.

4.3 Staff access

CURRENT Staff (employees with administrative access to the running system) are subject to:

• IP allowlist — staff routes are gated by source IP at the proxy and middleware layers.
• Required multi-factor authentication — every staff account must have a TOTP authenticator enrolled. Unenrolled staff are bounced to the 2FA setup page before any administrative URL resolves.
• Audit logging — login, logout, login failures, password changes, impersonation start/end, and consequential record changes are recorded in an append-only audit table. Only superusers may delete audit entries; deletions are themselves logged.
• Impersonation transparency — when a staff member impersonates a customer Account for support purposes, the action is recorded with the operator's identity and time stamps, and the impersonation banner is visible to the impersonated customer in their audit dashboard.

4.4 Webhook integrity

CURRENT Incoming webhooks from Stripe are validated by signature comparison against the shared webhook secret. Unsigned or invalid requests are rejected before any state mutation. Webhook events are de-duplicated via a database-level lock to defeat replay attacks.

5. Authentication

5.1 Customer authentication

CURRENT Customers authenticate with email and password. Optional two-factor authentication via TOTP is available for customer accounts and recommended for any account that controls real proposal data.

5.2 Sessions

CURRENT Sessions are secured with HttpOnly + Secure cookies. CSRF protection is enforced on every state-changing request. Sessions are bound to a single browser and are invalidated by password change, MFA enrollment, account deletion, or staff-initiated session purge.

5.3 Tokenized links

CURRENT Team invites and email unsubscribe links use 64-character random tokens with adequate entropy (~384 bits). Tokens are stored only as SHA-256 digests; the cleartext token is never persisted server-side. Team invites expire after 14 days. Email unsubscribe operates POST-only (a GET renders a confirmation form) so prefetchers cannot accidentally unsubscribe a user.

6. AI data handling

CURRENT Portions of customer Workspace Content are transmitted to Anthropic (primary) and, when the circuit breaker trips or an operator manually toggles fallback, OpenAI (secondary). What we send for each task is described in the Privacy Policy §4.

CURRENT Both providers are accessed via paid API tiers. Per their respective commercial API terms in effect as of 17 May 2026, prompts and completions are not used to train models. We have not entered Zero-Retention agreements with either provider; standard abuse-monitoring retention applies. See:

• Anthropic Commercial Terms
• OpenAI Business Terms

CURRENT We log AI calls in our database with model name, token counts, estimated cost, duration, and success/error status. Prompt content and completion content are not stored in our system after the response is rendered to the customer.

ROADMAP Zero-retention or HIPAA-eligible AI-provider configurations for customers with elevated compliance requirements. Contact us if this is required for your contract.

7. Retention & deletion

CURRENT Customer data retention windows:

You may request deletion of your data via the in-app account-deletion flow at /profile/delete/ or by emailing [email protected].

8. Backups & disaster recovery

CURRENT The database is backed up by our hosting provider via automated daily snapshots, retained for 30 days. Uploaded files are backed up on the same cadence.

ROADMAP Documented quarterly disaster-recovery drills with measured RTO/RPO targets. Until established, our published recovery objectives are:

• Recovery Time Objective (RTO): 8 hours for a single-region outage
• Recovery Point Objective (RPO): 24 hours for unplanned data loss

9. Monitoring & logging

CURRENT Application errors are captured to server-side logs; sensitive fields (passwords, tokens, encrypted secrets) are scrubbed before any log entry is written.

CURRENT Operational dashboards expose worker health, queue depth, recent failures, and AI fallback usage to staff. A status endpoint (/status/) responds with health and degradation indicators; detailed status is restricted to staff sessions and to monitors carrying a short-lived signed token.

ROADMAP Independent log aggregation with tamper-evident retention. Currently logs reside on the application host.

10. Vulnerability management

CURRENT Dependencies are pinned via lockfile and updated periodically. Critical CVEs in customer-facing dependencies are evaluated within 14 business days and patched on a risk-prioritized basis.

CURRENT Source code changes are reviewed before merging to the production branch. Authorization-sensitive code paths receive additional review focused on workspace-scoping correctness.

ROADMAP Annual third-party penetration testing and a published bug-bounty program. Until established, we welcome and reward responsibly-disclosed reports through the channel in §13.

11. Incident response

CURRENT Our incident response process:

1. Detection. Through server logs, ops dashboards, customer report, or staff review.
2. Triage. A staff engineer assesses severity within 24 hours.
3. Containment. If the incident involves unauthorized access or data exposure, we revoke compromised credentials, isolate affected systems, and preserve forensic evidence.
4. Remediation. Root-cause fix deployed; verification testing completed.
5. Notification. Where required by law or our customer contracts, we notify affected customers within the applicable statutory window (typically 72 hours for breach notification under GDPR). For non-breach incidents that materially affect customers, we post to a status page and email Account holders.
6. Post-mortem. Documented internally; mitigations added to ongoing security backlog.

12. Subprocessors

We use the following third-party services to operate the Service. Each operates under its own security and compliance posture. See the Privacy Policy §5 for the full list and the data shared with each.

We update this page when we add a new subprocessor that processes customer Workspace Content. Customers who want explicit notification of subprocessor changes may subscribe to our security mailing list by emailing [email protected] with the subject “subprocessor notifications.”

13. Compliance posture

Currently aligned CURRENT

• GDPR / UK GDPR. We honor data-subject rights (access, correction, deletion, portability) on request. We rely on Standard Contractual Clauses for international transfers where required.
• CCPA / CPRA. We honor California-resident rights as described in the Privacy Policy.
• Stripe PCI compliance. Card data is handled by Stripe; we never see or store card numbers. Our integration is consistent with Stripe's published PCI guidance.

Roadmap ROADMAP

• SOC 2 Type I audit (target: 2027). Type II will follow once the audit window is established.
• Subprocessor change-notification email list (separate from product email).
• Public vulnerability disclosure / bug-bounty program.

Not claimed NOT CURRENT

• FedRAMP authorization — we are not FedRAMP Low, Moderate, or High authorized.
• NIST 800-171 / CMMC — we have not undergone a formal NIST 800-171 self-assessment or CMMC Level 2 / 3 third-party assessment.
• HIPAA — we do not sign Business Associate Agreements at this time.
• ITAR / EAR registered — do not transmit export-controlled technical data through the Service.
• ISO 27001 / 27017 / 27018 — not currently certified.

14. Reporting a vulnerability

If you find a vulnerability, security weakness, or data exposure:

1. Email [email protected] with a description of the issue, steps to reproduce, and any proof-of-concept material.
2. Allow us up to 2 business days to acknowledge receipt and a reasonable window to remediate before any public disclosure.
3. Do not access, modify, or exfiltrate data belonging to other customers. Limit testing to your own Account or test data.
4. Do not run automated scanners that affect Service availability for other customers.

For all other security inquiries (including customer assessments, SOC 2 status updates, subprocessor change history, or DPA execution), email [email protected].