Security & Compliance
Built to protect competition-sensitive federal work
You'll be uploading solicitations, pricing, and proposal content — sometimes including Controlled Unclassified Information (CUI). Here's exactly how GovCon protects it, stated plainly and without overclaiming.
U.S. data hosting
Your account, proposals, and uploaded documents are stored in U.S.-based infrastructure. We do not move customer data offshore.
Encrypted in transit & at rest
All traffic is served over TLS, and data is encrypted at rest by our database and object-storage providers (AES-256).
Your data never trains AI
Proposal content and company data sent to our AI provider (Anthropic) is processed through their API and is not used to train general AI models. We never sell or share your data.
Org-scoped access control
Every record is scoped to your organization. Role-based permissions govern who can view, edit, and export. SSO (Google / Microsoft / Azure AD) is available on Enterprise.
Daily encrypted backups
The database and document storage are backed up daily to a separate, access-controlled location with a retention policy — so an accidental deletion is recoverable.
You own your data
Your content is yours. Export your library, proposals, and pipeline at any time, and request deletion of your account and data.
CUI & compliance roadmap
We apply a strong security baseline today — U.S. hosting, encryption in transit and at rest, org-scoped access control, and daily encrypted backups — and we are actively working toward NIST 800-171 / CMMC alignment to better support contractors handling CUI.
We are not currently FedRAMP authorized or CMMC certified, and we won't pretend otherwise. If your contract carries specific CUI-handling obligations, talk to us first so we can confirm fit — and only upload content your contract permits.
Subprocessors
The third-party services we rely on to operate GovCon, and what each is used for.
Security questions, answered
Can I use GovCon for proposals that contain CUI?
GovCon is built for sensitivity-aware federal proposal work and applies encryption in transit and at rest, U.S. data hosting, and org-scoped access controls. We are progressing toward NIST 800-171 / CMMC alignment. If your contract imposes specific CUI-handling obligations, talk to us first so we can confirm fit for your requirement — and only upload content your contract permits.
Do you use my proposals or company data to train AI?
No. Content you submit is processed through our AI provider's API to generate your drafts and analysis. It is not used to train general-purpose AI models, and we never sell or share it with third parties.
Where is my data stored?
In U.S.-based infrastructure (Render for the application, Neon for the database, Cloudflare R2 for documents). We do not store customer data outside the United States.
Are you FedRAMP authorized or CMMC certified?
Not today — and we won't claim otherwise. We implement strong baseline controls (encryption, U.S. hosting, access control, backups) and are working toward NIST 800-171 / CMMC alignment. We'll publish updates here as we reach milestones.
How do you handle access and authentication?
Accounts use secure password authentication with encrypted sessions; Enterprise plans can enforce SSO via Google, Microsoft, or Azure AD. All data is org-scoped with role-based permissions, so users only see their own organization's records.
Have a security or compliance question?
We're happy to walk your security team through our controls before you upload anything.
Talk to us →This page describes our current posture and is not a contractual commitment. See our Privacy Policy and Terms.