Security

Security & data handling

Source Selection Sensitive handling for Pilot Sprints—clear boundaries, subprocessors named, deletion on request.

Operated by FedShredder. Customer-facing service: GovProposal Operations. Pack version 1.0.0.

verified_userPack manifest (.json)Verification reportControls matrix (.csv)Data handling summary

Verifiable security pack

Download the full packet with SHA-256 checksums, subprocessor register, controls matrix, and claim-to-code verification report.

Every pack file is listed in security-pack-manifest.json with a SHA-256 checksum. CISOs can verify integrity before review.

Get-FileHash -Algorithm SHA256 "marketing\public\security\pilot-data-addendum.md"

  1. Spot-check 1 · Subprocessor register

    Open subprocessor-register.json — confirm Google Gemini API is listed with purpose limitation and terms URLs.

    subprocessor-register.json

  2. Spot-check 2 · No-training commitment

    Open pilot-data-addendum.md §2 — confirm Pilot Data is not used to train foundation models.

    pilot-data-addendum.md

  3. Spot-check 3 · Honest control status

    Open controls-matrix.csv — confirm SEC-007 (auth) and SEC-015/016 (SOC2/FedRAMP) show Not implemented / Not claimed.

    controls-matrix.csv

  4. Spot-check 4 · Artifact integrity

    Hash any pack file (SHA-256) and compare to the matching entry in security-pack-manifest.json.

    security-pack-manifest.json

  5. Spot-check 5 · Claim verification

    Open security-pack-verification-report.json — each claim lists repo file paths and extracted snippets.

    security-pack-verification-report.json

Handling model

  • Solicitation packages are treated as Source Selection Sensitive—not used to train foundation models.
  • Pilot data is processed only to deliver the contracted matrix, volume map, and go/no-go artifacts.
  • We do not publish client solicitations, matrices, or identifiers on this website.

Retention & deletion

  • Pilot Sprint files are retained only for the sprint duration plus a 30-day handoff window unless your contract specifies otherwise.
  • Upon final deliverable handoff—or on written request—we purge uploaded RFPs, working extracts, and derived artifacts from active systems.
  • Backups, if any, follow the same deletion schedule documented in the Pilot Data Addendum.

Ingest rules

  • Evaluation: unclassified public solicitations or redacted Section L excerpts after entity verification (UEI/CAGE).
  • Live pursuits: mutual NDA + Pilot Data Addendum executed before secure upload.
  • We do not accept classified materials on the standard Pilot Sprint path.

Subprocessors

We name our LLM stack explicitly. Transparency builds trust faster than hiding vendors.

Full register: subprocessor-register.json

  • Google LLC (Gemini API / Google Cloud)

    Document extraction, requirement classification, and matrix structuring only.

    Vendor terms

Download templates

downloadStandard mutual NDA (Markdown)downloadPilot Data Addendum (Markdown)Full verifiable security pack

Execute NDA + PDA before uploading live solicitations. Counsel review recommended.

Roadmap

Roadmap toward SOC 2, NIST 800-171 alignment, and CMMC Level 2 for mid-tier primes scaling past pilot—we do not claim FedRAMP High or SOC 2 certification today.

Enterprise security intake

Include approximate FTE, concurrent pursuits, and any customer security questionnaire requirements.

Submit enterprise intake