Trust & Security

Plain-language security

Procurement and IT teams reviewing Proposerly: this page covers what we do with your data, who else touches it, and our compliance status. No marketing fluff.

Where your data lives

  • Proposals, RFP content, and your content library are stored in PostgreSQL on infrastructure we operate (Hostinger VPS, EU/India region) with full-disk encryption at rest.
  • Generated DOCX/PDF exports are written to a server-side export directory, served only over authenticated HTTPS sessions, and are not indexed or cached publicly.
  • We do not aggregate or anonymize your proposal text across customers.

AI provider boundary

  • We use Anthropic's Claude API for AI-generated drafts, requirement extraction, and bid analysis. The model we route to is Claude Sonnet 4.6.
  • Anthropic's enterprise API terms state customer prompts and outputs are NOT used to train Anthropic's foundation models.
  • When you click "Visualize" or "Generate" inside the editor, only the specific selection or requirement is sent — never your entire content library.

Encryption

  • All traffic between your browser and our backend is TLS 1.2+ with HSTS preload.
  • Database storage is encrypted at the disk layer.
  • Passwords are stored as bcrypt hashes; we never see them.
  • JWT access tokens are short-lived (60 minutes) with refresh tokens valid for 7 days.

Access & tenancy

  • Every API call requires a signed JWT tied to a specific organization membership.
  • Cross-tenant requests (forged org_id) are rejected at the FastAPI router layer before any database read.
  • Role-based access at the org level: owner, admin, member.
  • On-call engineers can access infrastructure with audit-logged sudo; no human-readable access to customer content without a written customer request.

Data retention & deletion

  • Account deletion requests are honored within 30 days. We purge: user records, organization records, proposals, sections, drafts, exports, and snapshots.
  • Backups follow a 30-day rolling retention window.
  • Audit logs (login activity, billing events) are retained for 12 months for security and accounting.

Compliance status

  • SOC 2 Type I: in progress, target 2026.
  • GDPR: aware. Data Processing Addendum available for Enterprise customers on request.
  • DPDP Act (India): in scope, Pre-CISO controls implemented.
  • HIPAA / BAA: available for Enterprise tier in healthcare contexts.
  • Penetration tests: planned annually starting 2027.

Sub-processors

These are the third parties that may handle customer data in the course of operating Proposerly:

AnthropicClaude API for AI drafts and analysis
Voyage AIEmbeddings for semantic content-library search (Pro+)
Dodo PaymentsSubscription billing
HostingerBackend VPS hosting (EU/India region)
VercelFrontend hosting and CDN

Responsible disclosure

Found a vulnerability? Email security@proposerly.com with the details. We acknowledge within 48 hours, patch P0 issues within 7 days, and credit you publicly if you'd like.

Need a security questionnaire?

For Enterprise procurement we'll fill out CAIQ, SIG, or your standard vendor questionnaire and provide reference architecture diagrams.

Request questionnaire →