IR

SECURITY

How we protect your data.

You're trusting IR with your pipeline and your proposals. Here is exactly how that data is handled — in plain English, including what we haven't built yet.

DATA IN TRANSIT & AT REST

  • All traffic is encrypted with TLS 1.2+ — there is no unencrypted access to IR.
  • Data is stored on SOC 2-compliant infrastructure (Vercel and Turso) with encryption at rest.
  • Passwords are hashed with bcrypt (cost factor 12). We cannot see or recover your password.

AUTHENTICATION & ACCESS

  • Sessions use signed JSON Web Tokens; session secrets are rotated server-side and never exposed to the browser.
  • Authentication endpoints are rate-limited to block credential stuffing and brute force.
  • Email verification is required before account access.
  • Team access is permission-scoped: members only see what their role allows.

YOUR DATA

  • Contract data comes from public U.S. government sources (SAM.gov). Your company profile, pipeline, and proposals are private to you and your team.
  • We never sell your data. We never share your proposals, pipeline, or profile with anyone — including other IR customers.
  • Proposal emails to contracting officers are sent only when you explicitly click send, after a confirmation showing the exact recipient.
  • You can delete your account and all associated data at any time by contacting us.

ENGINEERING PRACTICES

  • All database access goes through a typed ORM with parameterized queries — no raw SQL from user input.
  • API keys and secrets live in server-side environment variables, never in client code.
  • Every outbound email is logged and auditable.
  • Automated health checks monitor the platform continuously and alert us before most issues reach you.

ON THE ROADMAP (HONEST VERSION)

  • Two-factor authentication (2FA) — planned.
  • SOC 2 Type II certification — planned as we grow; our infrastructure providers already hold it.
  • Formal penetration testing — planned before enterprise rollout.
  • We would rather tell you what we don't have yet than pretend. If your organization has specific security requirements, email us and we'll give you straight answers.

REPORT A VULNERABILITY

Found a security issue? Email security@ir-gov.appand we'll respond within 48 hours. We appreciate responsible disclosure and will credit researchers who report in good faith.