Trust centre

Security claims should be as traceable as tender claims.

This page describes controls that exist today, and names the limitations that still matter. BIDREADY24 does not claim certifications, UK-only data residency or a completed legal-compliance audit.

Project-scoped access

Customer workspaces use revocable, time-limited access tokens. Project lookups are separated by the project identifier and sensitive routes are marked private and non-cacheable.

Traceable analysis

The system retains source locations, excerpts, confidence and review flags with its findings so the receiver can inspect the basis of a decision.

Upload validation

Uploads are bounded by count and size, checked against extension, declared type and file signature, normalised for safe storage, hashed and deduplicated.

Bounded autonomy

Internal analysis can run automatically. Outbound clarifications or submissions only become available when a receiver mandate and separately configured adapter permit them.

Data flow

Where your information goes

Processing depends on the features enabled for your project and the service configuration.

01

Application hosting

Tender documents, extracted text, company evidence, analysis records and access data are processed and stored by the hosting environment used to operate BIDREADY24.

02

OpenAI API · when enabled

Tender excerpts and structured analysis context may be sent to OpenAI to produce schema-constrained findings. API requests are configured with storage disabled. Model output remains subject to the same source and uncertainty checks.

03

Stripe

Stripe hosts checkout and processes payment and billing information. BIDREADY24 receives payment identifiers and signed webhook confirmation used to release a project.

04

Configured support or action adapters

Contact details or buyer-facing content are only sent to an external webhook or adapter when that integration is configured and the relevant action is requested or mandated.

Zero-invention policy

What the system must not do

  • Create qualifications, policies, accreditations, insurance levels, customer references or performance claims that the customer has not supported.
  • Convert an ambiguous source into a confident mandatory requirement without leaving the source and uncertainty visible.
  • Present machine output as legal advice, certification, buyer acceptance or an award prediction.
  • Describe a buyer-facing action as complete when no configured adapter has returned a valid external confirmation.

Current limitations

Storage

The current deployment uses application-attached persistent storage, not a dedicated customer object-storage architecture.

Retention

Automated end-to-end file deletion is not yet represented as a completed control. Contact support to request deletion; confirmation is handled operationally.

Malware scanning

File type, signature, count, size and path checks are implemented. A separate antivirus scanning service is not yet claimed.

Identity and outbound actions

Magic-link projects are not equivalent to enterprise identity verification. Do not store buyer credentials or enable signing authority without additional access controls.

For privacy details and current service boundaries, read the privacy notice and data-handling statement.