# Data Handling Summary — GovProposal Operations

**Pack version:** 1.0.0 · **Operator:** FedShredder · **Generated:** 2026-05-25

## Executive summary

FedShredder operates GovProposal Operations as a **compliance-first, operator-assisted** service. This document describes how solicitation data flows through the system today and what is **contractually committed** versus **technically implemented** in the open codebase.

We do **not** claim FedRAMP, SOC 2, or CMMC certification in this pack.

---

## Data flow (Pilot Sprint)

```mermaid
flowchart LR
  subgraph Customer
    U[Capture manager]
  end
  subgraph Intake
    I[Secure intake email / agreed channel]
  end
  subgraph Processing
    B[FastAPI backend]
    G[Gemini API]
  end
  subgraph Deliverables
    M[Compliance matrix .xlsx]
    V[Volume outline]
  end
  U -->|NDA + PDA executed| I
  I --> B
  B -->|Text extracts only| G
  G --> B
  B --> M
  B --> V
  M --> U
```

1. Customer executes **Mutual NDA** and **Pilot Data Addendum**.
2. Solicitation PDFs transmitted via agreed secure channel (not the public marketing site).
3. Operator ingests files; text extracted locally (`IngestionProcessor`).
4. Structured extraction via **Gemini API** (multi-pass compliance pipeline).
5. Deliverables returned to Customer; retention clock starts for 30-day purge window.

---

## What we do not do

- Train foundation models on Customer Pilot Data
- Publish Customer solicitations or matrices on fedshredder.com without consent
- Accept classified materials on the standard Pilot path
- Represent AI-generated citations as legally binding without human spot-check

---

## Technical boundaries (current codebase)

| Component | Data touched | Notes |
|-----------|--------------|-------|
| Marketing site (Vercel) | Public samples only | No live RFP upload |
| Capture app (React) | Browser `localStorage` | Dev tool; not enterprise tenancy |
| Backend (FastAPI) | In-memory request processing | Deploy config not in repo |
| ChromaDB | Optional context RAG | Not wired to Pilot ingest path |

---

## Verification

Download `security-pack-manifest.json` and run checksum verification (see manifest `verifyCommand`). Cross-reference `security-pack-verification-report.json` for claim-to-code mapping.

**Enterprise intake:** `/contact?intent=enterprise`