Security
Security & data handling
Source Selection Sensitive handling for Pilot Sprints—clear boundaries, subprocessors named, deletion on request.
NDAs and Pilot Sprint engagements are executed with FedShredder LLC. Pack version 1.0.0.
One-page data handling summary for PM, capture, or CISO—before live upload.
Verifiable security pack
Download the full packet: SHA-256 checksum manifest, subprocessor register, controls matrix, and verification report (all PDF).
Every pack file is listed in security-pack-manifest.pdf with a SHA-256 checksum. CISOs can verify integrity before review.
Get-FileHash -Algorithm SHA256 "marketing\public\security\pilot-data-addendum.pdf"
Spot-check 1 · Subprocessor register
Open subprocessor-register.pdf — confirm Google Gemini API is listed with purpose limitation and terms URLs.
subprocessor-register.pdf
Spot-check 2 · No-training commitment
Open pilot-data-addendum.pdf §2 — confirm Pilot Data is not used to train foundation models.
pilot-data-addendum.pdf
Spot-check 3 · Control scope and status
Open controls-matrix.xlsx — confirm control scope and implementation status are explicitly stated for pilot evaluation.
controls-matrix.xlsx
Spot-check 4 · Artifact integrity
Hash any pack PDF (SHA-256) and compare to the matching entry in security-pack-manifest.json (canonical) or security-pack-manifest.pdf.
security-pack-manifest.pdf
Spot-check 5 · Claim verification
Open security-pack-verification-report.pdf — each claim lists repo file paths and extracted snippets.
security-pack-verification-report.pdf
Handling model
- Solicitation packages are treated as Source Selection Sensitive—not used to train foundation models.
- Pilot data is processed only to deliver the contracted matrix, volume map, and go/no-go artifacts.
- We do not publish client solicitations, matrices, or identifiers on this website.
Retention & deletion
- Pilot Sprint files are retained only for the sprint duration plus a 30-day handoff window unless your contract specifies otherwise.
- Upon final deliverable handoff—or on written request—we purge uploaded RFPs, working extracts, and derived artifacts from active systems.
- Backups, if any, follow the same deletion schedule documented in the Pilot Data Addendum.
Ingest rules
- Evaluation: unclassified public solicitations or redacted Section L excerpts after entity verification (UEI/CAGE).
- Live pursuits: mutual NDA + Pilot Data Addendum executed before secure upload.
- We do not accept classified materials on the standard Pilot Sprint path.
Subprocessors
Subprocessors are limited to document extraction and structuring for matrix delivery. Pilot Data is not used to train foundation models (Pilot Data Addendum).
Full register: subprocessor-register.pdf · subprocessor-register.json
Google LLC (Gemini API / Google Cloud)
Document extraction, requirement classification, and matrix structuring only.
Download templates
Execute NDA + PDA before uploading live solicitations.
Roadmap
Standard Pilot path: unclassified solicitation artifacts, Source Selection Sensitive handling, assigned sprint reviewers only, deletion on request. Customer-specific control frameworks (e.g., CMMC, NIST 800-171) are scoped at enterprise intake—not implied by the public matrix sample.
Enterprise security intake
Include approximate FTE, concurrent pursuits, and any customer security questionnaire requirements.