Project-scoped access
Customer workspaces use revocable, time-limited access tokens. Project lookups are separated by the project identifier and sensitive routes are marked private and non-cacheable.
Trust centre
This page describes controls that exist today, and names the limitations that still matter. BIDREADY24 does not claim certifications, UK-only data residency or a completed legal-compliance audit.
Customer workspaces use revocable, time-limited access tokens. Project lookups are separated by the project identifier and sensitive routes are marked private and non-cacheable.
The system retains source locations, excerpts, confidence and review flags with its findings so the receiver can inspect the basis of a decision.
Uploads are bounded by count and size, checked against extension, declared type and file signature, normalised for safe storage, hashed and deduplicated.
Internal analysis can run automatically. Outbound clarifications or submissions only become available when a receiver mandate and separately configured adapter permit them.
Data flow
Processing depends on the features enabled for your project and the service configuration.
Tender documents, extracted text, company evidence, analysis records and access data are processed and stored by the hosting environment used to operate BIDREADY24.
Tender excerpts and structured analysis context may be sent to OpenAI to produce schema-constrained findings. API requests are configured with storage disabled. Model output remains subject to the same source and uncertainty checks.
Stripe hosts checkout and processes payment and billing information. BIDREADY24 receives payment identifiers and signed webhook confirmation used to release a project.
Contact details or buyer-facing content are only sent to an external webhook or adapter when that integration is configured and the relevant action is requested or mandated.
Zero-invention policy
Current limitations
The current deployment uses application-attached persistent storage, not a dedicated customer object-storage architecture.
Automated end-to-end file deletion is not yet represented as a completed control. Contact support to request deletion; confirmation is handled operationally.
File type, signature, count, size and path checks are implemented. A separate antivirus scanning service is not yet claimed.
Magic-link projects are not equivalent to enterprise identity verification. Do not store buyer credentials or enable signing authority without additional access controls.
For privacy details and current service boundaries, read the privacy notice and data-handling statement.