Security overview for buyer diligence
Review VeriRFP's current security program, AI processing boundaries, incident paths, and operational trust references. This page is written for real buyer diligence rather than broad marketing claims.
Last updated April 25, 2026
Direct answer
VeriRFP protects customer data through controlled AI processing, TLS 1.2+ encryption in transit and AES-256 at rest, role-based access controls, audit logs, and NDA-gated access to Trust Center documents. The platform has not yet completed SOC 2 Type II but publishes its current security posture, subprocessor list, and control alignment transparently.
Operational references for buyers
These pages answer the next questions procurement and security teams usually ask after the initial security review.
Security program status
VeriRFP maintains a control program aligned to the security, availability, and confidentiality themes buyers usually review in SOC 2-style diligence. We have not completed a SOC 2 Type II audit, so we do not market one. This page is the operational summary we use while the formal audit path is still in progress.
- Internal access is gated by role-based authorization and multi-factor authentication.
- Production releases are verified with health checks, deployment sanity checks, and smoke coverage.
- Security, privacy, and support contacts are published for procurement and incident follow-up.
Workspace isolation and data boundaries
Questionnaire responses, evidence, and buyer activity are scoped by workspace and role authorization. Public share surfaces are designed to keep discovery bounded and auditable.
- Workspace-scoped data access is enforced before export, review, or public-share actions are executed.
- Tokenized public routes are configured noindex and excluded from sitemap discovery.
- Storage access is brokered through scoped, time-bound signed URLs.
Application hardening
VeriRFP ships production security headers, keeps dependency and release checks in the delivery path, and preserves operational telemetry needed to investigate issues quickly. This is an implementation summary, not a substitute for a customer-specific review.
- TLS is enforced for production traffic and HSTS is enabled in production mode.
- API and OAuth tokens are scoped and revocable.
- Error monitoring and audit-oriented logging support investigation and remediation workflows.
Availability and incident operations
Operational health is published on the status surface, and customer-facing issues follow the reporting cadence documented in the security reporting policy. We describe the current operating model here rather than promising contractual SLA terms on this page.
- Live health checks track the web app, MCP API, and worker surfaces.
- Status and security-reporting pages document escalation paths and response cadence.
- Buyer diligence questions about backup, recovery, or continuity are handled through the trust workflow.
Data handling and retention
- Customer questionnaire/evidence data is scoped by workspace and role authorization.
- Workspace admins can configure retention behavior for exported and uploaded artifacts.
- Tokenized public routes are configured noindex and excluded from sitemap discovery.
- Deletion and export requests are handled via support channels.
AI processing boundary
When AI drafting is enabled, VeriRFP may send relevant text from your questionnaire and evidence to third-party model providers to produce the requested drafts. You control what you upload and what gets generated.
If your policy requires a non-AI workflow, draft and review features can be used with human-authored responses.
Encryption and key management
- TLS is enforced for production traffic and HSTS is sent in production mode.
- Storage access is brokered using scoped, time-bound signed URLs.
- API and OAuth tokens are scoped and revocable.
- Least-privilege access is enforced at workspace and role layers.
Incident response and reporting
If you discover a potential security issue, include impact, affected route, and reproduction steps in your report.
Subprocessors and service providers
This list summarizes third-party providers used to deliver VeriRFP services and support processing activities. Contact admin@verirfp.com for the latest subprocessor confirmation before procurement sign-off.
The maintained, versioned inventory lives on /subprocessors. Use that route when a buyer needs the current transfer-control, region, or retention view.
| Vendor | Purpose | Data category | Policy |
|---|---|---|---|
| Railway | Application hosting and runtime infrastructure | Application telemetry and service runtime metadata | Railway policy |
| Supabase | Postgres database, authentication, and object storage | Workspace records, account data, uploaded files, and access metadata | Supabase policy |
| Stripe | Billing and subscription processing | Payment metadata, subscription status, and invoices | Stripe policy |
| OpenAI | Optional AI-assisted answer drafting | Selected questionnaire/evidence text sent for model completion | OpenAI policy |
| Resend | Transactional email delivery (signup, billing, security alerts) | Recipient email address, message subject, delivery metadata | Resend policy |
| Cloudflare | Private Edition desktop app — update manifest and model-weight delivery | Client IP, user-agent, and download metadata for Private Edition installations | Cloudflare policy |
AI agent governance
VeriRFP implements the Cloud Security Alliance Agentic Trust Framework (ATF) for Zero Trust governance of AI agents. Every AI agent operates under structured governance across five elements: identity management, behavioral monitoring, data governance, segmentation, and incident response.
Identity
Signed audit records, integrity attestations, and machine-readable capability manifests for governed agent types.
Monitoring
Rolling behavioral baselines with statistical anomaly detection. Alerts trigger within 60 seconds of behavioral deviation.
Incident Response
Automated safeguards can halt failing agents quickly, and workspace-level stop controls can terminate execution immediately.