Security & Data Handling
We understand that tender documents are commercially sensitive. BidPilot is architected from the ground up to protect your data at every stage.
Encryption in Transit
All data transmitted between your browser and our servers is encrypted using industry-standard 256-bit TLS (SSL) encryption. This is the same level of encryption used by banks and government services. Your documents are never transmitted over unencrypted channels.
Zero Document Retention
Uploaded tender documents are processed entirely in-memory. We do not write your document content to disk, databases, or any persistent storage. Once your analysis is complete, all document data is permanently purged from our processing pipeline. There is no archive, no backup, and no way for us to retrieve your documents after processing.
AI Processing Safeguards
We use enterprise-grade AI APIs (Google Gemini) to extract structured data from your documents. Our AI processing is governed by strict safeguards:
No training on your data. Your documents are never used to train, fine-tune, or improve AI models. This is contractually guaranteed by our API agreements.
Ephemeral processing. Document text is sent to the AI model for analysis and discarded immediately upon response. No content is cached or logged by the AI provider.
Isolated sessions. Each analysis runs in an isolated processing context. Your data is never mixed with other users' data.
UK GDPR Compliance
BidPilot is designed to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our data handling practices include:
Data minimisation — we collect only what is necessary to provide the service.
Lawful basis — we process data under contractual necessity and legitimate interest.
Right to deletion — you can request deletion of all personal data at any time.
Data portability — we can provide your data in a structured, machine-readable format.
Breach notification — in the unlikely event of a data breach, we will notify affected users and the ICO within 72 hours as required by law.
Infrastructure & Hosting
BidPilot is hosted on Vercel's enterprise cloud infrastructure, which provides SOC 2 Type II certified security controls, automated DDoS protection, and globally distributed edge networks. Payment processing is handled by Stripe, which is PCI DSS Level 1 certified — the highest level of payment security certification.
Security Questions or Concerns
If you have security questions, need a data processing agreement (DPA), or want to report a vulnerability, please contact our support team: