BidReady AI

BidReady AI

Spec intelligence for precon teams

Trust & Security

Your specs stay yours.

BidReady AI is built for construction teams that need clear data provenance, tenant isolation, and predictable controls. Here's exactly how we handle your projects — in plain language.

TLS encryption

In transit, end-to-end

No model training

On your data, ever

Per-project isolation

Ownership enforced

You're in control

Export & delete anytime

Last updated: June 2026

Security principles

The commitments we design every feature around.

Encryption in transit

TLS is enforced end-to-end between your browser, our functions, and Google Cloud. Data at rest is encrypted by Google Cloud.

No training on your data

Your documents and prompts are used to answer your questions only. We don't sell your data or use it to train models.

Per-project isolation

Every project has an owner. Ownership and team access are re-checked in security rules and in every server function.

Least-privilege access

Secrets live in server-side environment config — never in the client bundle. Viewer/editor roles limit what teammates can do.

Minimal logging

We keep lean operational logs for reliability and abuse prevention. Share endpoints are rate-limited and PIN-validated.

Provenance you can verify

Answers carry citations back to the source page, with a manual-verification prompt — so you can check the AI, not just trust it.

Architecture

Where your data lives and what processes it.

Cloud: Google Cloud / Firebase — Authentication for sign-in, Cloud Firestore for projects and messages, Firebase Storage for uploaded files, and Cloud Functions for server-side processing.

AI model: Google Gemini powers chat, compliance audits, and extracts. Prompts are constructed server-side with citation and guardrail instructions.

Storage: Original files are kept in Firebase Storage; extracted text is stored per project in Firestore so audits and extracts stay fast and scoped.

Isolation: Project ownership is enforced by Firestore security rules and independently re-verified inside every callable and HTTPS function.

Data handling & retention

What we keep, for how long, and why.

Retention: Projects, messages, files, and extracted text remain in your workspace until you delete them. Deleting a project removes its associated data.

Share links: Time-bound tokens stored in Firestore, with an optional PIN (stored hashed, never in plaintext) and rate-limited validation.

Exports: PDF/CSV/JSON exports are generated on demand. Personal names and contact details are redacted from exports by default.

Usage data: We track page and feature usage to enforce plan limits and improve reliability — not to profile you or sell to third parties.

Security practices

The controls behind the principles above.

Authentication: Firebase Auth; every server function re-checks identity and project ownership.

Transport: TLS enforced for all client, function, and storage traffic.

Secrets: Managed in Cloud Functions environment configuration; no secrets shipped in client bundles.

Abuse protection: Share endpoints are rate-limited with PIN validation; quota-aware retries handle provider spikes.

Access roles: Viewer and editor roles scope what team members can see and change on shared projects.

Infrastructure: Runs on Google Cloud, which maintains ISO 27001, SOC 2/3, and PCI DSS certifications for its platform.

Sub-processors

The third parties that process data to deliver the service.

Provider Purpose
Google Cloud / Firebase Hosting, authentication, database, file storage, serverless functions
Google Gemini API AI inference for chat, audits, and extracts
Stripe Subscription billing & payment processing
Email delivery (SMTP) Transactional emails (invites, notifications) via Firebase Extensions

We don't sell data or share it with advertisers. Payment card data is handled entirely by Stripe — it never touches our servers.

Your controls

What you can do today, right from the app.

Delete anytime: Remove projects, files, and their extracted data on demand.

Export your work: Generate PDF, CSV, or JSON reports whenever you need them.

PIN-protect shares: Add a PIN and rely on expiring tokens for any link you share.

Control team access: Assign viewer/editor roles per shared project on Team plans.

Compliance status

SOC 2 in progress

We believe in being precise about what's done versus in flight.

Shipped

  • PII redaction on exports, on by default
  • Team roles (viewer / editor) on shared projects
  • Expiring, PIN-protected share links
  • Citations + manual-verification prompts on answers

In progress

  • SOC 2 Type II — underway, not yet certified
  • Enterprise audit log & access history
  • Configurable data-retention windows
  • Signed DPA & sub-processor change notifications

Questions, vendor reviews & disclosure

Running a security or procurement review? We're happy to walk through architecture, data flows, and our compliance roadmap. If you've found a vulnerability, please report it responsibly and give us a reasonable window to remediate before any public disclosure.