Trust Center

Verified launch trust boundaries

Customer-safe facts about DueBid product boundaries, data lifecycle, storage, delivery, account security, retention, subprocessors, and outage behavior.

Effective date: June 25, 2026

Data lifecycle

Upload completion, security acceptance, analysis, human review, delivery, and deletion are distinct states.

  1. 01

    Upload

    Authenticated user selects a document and transfers parts through the application upload flow.

  2. 02

    Private quarantine

    A received file is held away from customer-visible analysis until security review completes.

  3. 03

    Malware/security review

    Security review decides whether the file can proceed. This is not business, legal, or tender verification.

  4. 04

    Accepted immutable version

    Only an accepted document version can become eligible for processing and analysis.

  5. 05

    Analysis

    DueBid performs requirement mapping and AI-assisted review work inside the workspace boundary.

  6. 06

    Human review/release gates

    Material findings are reviewed before customer-visible release where the workflow requires it.

  7. 07

    Customer-visible artifact

    Approved reports and files are delivered through authenticated application download routes, not public storage URLs.

  8. 08

    Retention expiry/deletion

    Artifacts can expire or be deleted according to approved retention, legal hold, backup, and security rules.

Verified technical controlProduct boundary

Decision support only

DueBid helps bid teams organize tender evidence, map requirements, identify source-backed risk signals, and prepare digital report artifacts. Customers remain responsible for final legal, commercial, pricing, and submission decisions.

Evidence: Public product routes and report UI present DueBid as bid-risk decision support; no route provides legal representation or buyer submission.

Verified technical controlProduct boundary

No award or compliance guarantee

DueBid does not guarantee award, buyer acceptance, legal compliance, or complete risk detection.

Evidence: Existing copy and report panels state decision support boundaries; no entitlement or report type asserts award or compliance success.

Verified technical controlCommercial/legal

Hosted checkout is limited to digital products

Public pricing frames paid checkout as SaaS access, report credits, and downloadable digital report artifacts. It does not sell physical goods, procurement representation, legal advice, or bespoke consulting through hosted checkout.

Evidence: Pricing page and request-review form use digital report credit and SaaS plan language.

Verified technical controlUpload security

Uploads are not public URLs

Customer uploads move through authenticated application routes and backend-controlled upload sessions. The browser is not given a public object-storage URL.

Evidence: Workspace upload manager and BFF routes use application APIs and safe upload-session responses without internal storage identifiers or provider-specific routing fields.

Verified technical controlData lifecycle

Upload completion is not acceptance

A completed transfer only means the file parts were received. The document is not accepted for analysis until the security review reaches an accepted version.

Evidence: Frontend intake types distinguish upload status from document security status and accepted_at version state.

Verified technical controlData lifecycle

Security scan is not business verification

Security review checks whether a file can proceed through the workflow. It does not verify whether the document is legally sufficient, commercially acceptable, or correct for the tender.

Evidence: Document security states are separate from processing, proposal, and report review states.

Verified technical controlData lifecycle

AI-assisted analysis is separate from human review

Automated extraction and analysis can prepare findings, but material customer-visible findings remain bounded by release and review gates.

Evidence: Report copy, sample report, and workspace states distinguish generated analysis from human review and customer-visible artifacts.

Verified technical controlStorage and delivery

Secure report artifact delivery

Report downloads are requested through authenticated application routes and short-lived delivery grants. UI copy never exposes internal storage names, object keys, provider URLs, or scanner details.

Evidence: Delivery parser accepts only grant id, secret, and expiration; route tests reject provider/internal fields.

Verified technical controlAccess control

Authenticated workspace access

Dashboard routes require authenticated workspace access, and customer-facing BFF routes fail closed on missing sessions, denied workspace access, malformed backend data, or backend unavailability.

Evidence: Proxy dashboard auth gate, auth route handlers, workspace BFF tests, and access-control tests.

Verified technical controlAccount security

Account security controls

The account security UI supports password sessions, passkeys, TOTP MFA setup, recovery-code status, session visibility, and session revocation through backend-backed routes.

Evidence: Security center and account-security components use backend capability and session APIs.

Verified technical controlRetention/deletion

Retention and deletion are stateful

Deletion requests, artifact expiry, tombstones, backups, legal holds, and security holds may have different timelines. DueBid does not claim instant deletion from backups.

Evidence: Report artifact UI exposes retention expiry where provided; public copy avoids exact retention periods until approved launch content supplies them.

Verified technical controlOperations

Public production source maps are not served

The production build disables browser source maps and prunes public source-map files after build.

Evidence: next.config.mjs disables productionBrowserSourceMaps; scripts/build-and-prune.mjs runs scripts/prune-public-source-maps.mjs.

Verified technical controlOperations

Safe outage surfaces

Error and outage surfaces show safe recovery guidance and request IDs without exposing protected readiness, infrastructure topology, internal storage names, scanner names, or backend internals.

Evidence: Global and locale error pages render safe request IDs; BFF route handlers return sanitized backend-unavailable envelopes.

Not configured for launchOperations

Backup and restore commitments

Public backup and restore commitments require approved deployment input before publication.

Evidence: No approved public RPO, RTO, backup region, or restore-drill claim is checked into the frontend.

Not configured for launchOperations

No public certifications claimed

No SOC 2, ISO 27001, penetration-test, insurance, SLA, uptime, or audit-certification claim is published unless approved evidence is supplied.

Evidence: Trust-content scan rejects fake certification and uptime language.

Subprocessors and data region

No named production subprocessors or regions are published yet because approved launch content has not been supplied.

Good-faith security reporting boundaries

A public security contact is required before production launch. Until it is approved, this page documents safe reporting boundaries without inventing a contact.

  • Good-faith reports about DueBid public web, account, upload, report-delivery, and billing surfaces are in scope once a public security contact is approved.
  • Do not perform destructive testing, persistence, social engineering, spam, denial-of-service, data exfiltration, or testing against customer data.
  • Do not publicly disclose active vulnerabilities before DueBid has investigated and remediated the issue.

No public bug bounty is offered unless an approved bounty program is published.

Launch facts that require approved input

DueBid does not publish legal entity, region, subprocessor, DPA, SLA, or contact facts until they are approved.

Launch blockerStatus
Legal entityNot configured for launch
Registered addressNot configured for launch
Governing law and jurisdictionNot configured for launch
Hosting/data regionNot configured for launch
DPA availabilityNot configured for launch
Named subprocessorsNot configured for launch