SECURITY
How we protect your data.
You're trusting IR with your pipeline and your proposals. Here is exactly how that data is handled — in plain English, including what we haven't built yet.
DATA IN TRANSIT & AT REST
- —All traffic is encrypted with TLS 1.2+ — there is no unencrypted access to IR.
- —Data is stored on SOC 2-compliant infrastructure (Vercel and Turso) with encryption at rest.
- —Passwords are hashed with bcrypt (cost factor 12). We cannot see or recover your password.
AUTHENTICATION & ACCESS
- —Sessions use signed JSON Web Tokens; session secrets are rotated server-side and never exposed to the browser.
- —Authentication endpoints are rate-limited to block credential stuffing and brute force.
- —Email verification is required before account access.
- —Team access is permission-scoped: members only see what their role allows.
YOUR DATA
- —Contract data comes from public U.S. government sources (SAM.gov). Your company profile, pipeline, and proposals are private to you and your team.
- —We never sell your data. We never share your proposals, pipeline, or profile with anyone — including other IR customers.
- —Proposal emails to contracting officers are sent only when you explicitly click send, after a confirmation showing the exact recipient.
- —You can delete your account and all associated data at any time by contacting us.
ENGINEERING PRACTICES
- —All database access goes through a typed ORM with parameterized queries — no raw SQL from user input.
- —API keys and secrets live in server-side environment variables, never in client code.
- —Every outbound email is logged and auditable.
- —Automated health checks monitor the platform continuously and alert us before most issues reach you.
ON THE ROADMAP (HONEST VERSION)
- —Two-factor authentication (2FA) — planned.
- —SOC 2 Type II certification — planned as we grow; our infrastructure providers already hold it.
- —Formal penetration testing — planned before enterprise rollout.
- —We would rather tell you what we don't have yet than pretend. If your organization has specific security requirements, email us and we'll give you straight answers.
REPORT A VULNERABILITY
Found a security issue? Email security@ir-gov.appand we'll respond within 48 hours. We appreciate responsible disclosure and will credit researchers who report in good faith.