Data handling

How tender data moves through DueBid

A customer-safe lifecycle that distinguishes upload completion, security review, analysis, human review, artifact delivery, and retention.

Effective date: June 25, 2026

Data lifecycle

Upload completion, security acceptance, analysis, human review, delivery, and deletion are distinct states.

  1. 01

    Upload

    Authenticated user selects a document and transfers parts through the application upload flow.

  2. 02

    Private quarantine

    A received file is held away from customer-visible analysis until security review completes.

  3. 03

    Malware/security review

    Security review decides whether the file can proceed. This is not business, legal, or tender verification.

  4. 04

    Accepted immutable version

    Only an accepted document version can become eligible for processing and analysis.

  5. 05

    Analysis

    DueBid performs requirement mapping and AI-assisted review work inside the workspace boundary.

  6. 06

    Human review/release gates

    Material findings are reviewed before customer-visible release where the workflow requires it.

  7. 07

    Customer-visible artifact

    Approved reports and files are delivered through authenticated application download routes, not public storage URLs.

  8. 08

    Retention expiry/deletion

    Artifacts can expire or be deleted according to approved retention, legal hold, backup, and security rules.

Verified technical controlUpload security

Uploads are not public URLs

Customer uploads move through authenticated application routes and backend-controlled upload sessions. The browser is not given a public object-storage URL.

Evidence: Workspace upload manager and BFF routes use application APIs and safe upload-session responses without internal storage identifiers or provider-specific routing fields.

Verified technical controlData lifecycle

Upload completion is not acceptance

A completed transfer only means the file parts were received. The document is not accepted for analysis until the security review reaches an accepted version.

Evidence: Frontend intake types distinguish upload status from document security status and accepted_at version state.

Verified technical controlData lifecycle

Security scan is not business verification

Security review checks whether a file can proceed through the workflow. It does not verify whether the document is legally sufficient, commercially acceptable, or correct for the tender.

Evidence: Document security states are separate from processing, proposal, and report review states.

Verified technical controlData lifecycle

AI-assisted analysis is separate from human review

Automated extraction and analysis can prepare findings, but material customer-visible findings remain bounded by release and review gates.

Evidence: Report copy, sample report, and workspace states distinguish generated analysis from human review and customer-visible artifacts.

Verified technical controlStorage and delivery

Secure report artifact delivery

Report downloads are requested through authenticated application routes and short-lived delivery grants. UI copy never exposes internal storage names, object keys, provider URLs, or scanner details.

Evidence: Delivery parser accepts only grant id, secret, and expiration; route tests reject provider/internal fields.

Verified technical controlData use

No cross-customer model training by default

Customer documents are processed for the requesting workspace and are not used for cross-customer model training by default. Customer-specific memory remains tenant-scoped. Feedback may create tenant-private dataset candidates under policy, and broader use requires explicit authorization and review.

Evidence: Frontend exposes tenant-scoped Company Memory and report feedback; backend outcome intelligence stores feedback-derived DatasetCandidate rows with data_boundary tenant_private and pending_review status.

Verified technical controlData use

Feedback candidates remain tenant-private

Customer feedback can be used to improve the customer's own reviewed workflow context. Candidate labels remain tenant-private and require review before they become approved dataset records. DueBid does not publish a global training system as active.

Evidence: Backend outcome intelligence creates DatasetCandidate records scoped by tenant_id and workspace_id, marks them tenant_private, and requires operator review before approval or rejection.