Security & Trust
Last updated: July 2026
GovIntel helps government-contracting businesses find, qualify, and pursue opportunities. The data you bring to the platform — your pipeline, company profile, and teaming relationships — is sensitive business information, and we protect it accordingly. This page describes how.
A note on controlled & classified data: GovIntel is a commercial business-intelligence platform. It is not authorized to store Controlled Unclassified Information (CUI), classified data, ITAR/EAR-controlled technical data, or FCI. Please do not upload documents containing CUI or classified markings — our system scans uploads for CUI markings and warns you when it detects them.
Infrastructure & Hosting
- Hosted on Railway (application + PostgreSQL, on Google Cloud Platform, US regions), Vercel (web frontend), and Cloudflare R2 (file storage) — all providers maintain SOC 2 and/or ISO 27001 attestations and handle physical data-center security.
- Production is fully cloud-managed; there are no self-hosted or on-prem servers.
Encryption
- In transit: all traffic is encrypted with TLS 1.2+ (HTTPS everywhere — web app, API, and file access).
- At rest: databases and object storage are encrypted at rest (AES-256) by our infrastructure providers.
- Secrets & tokens: third-party access tokens (e.g., connected email or cloud-drive credentials) are encrypted before storage; application secrets live in managed configuration, never in source code.
Authentication & Access
- Passwords are hashed with bcrypt (never stored in plaintext).
- Single sign-on via Google and Microsoft (OAuth 2.0) is supported.
- Sessions use signed, expiring tokens.
- Role-based access control: every sensitive endpoint is gated by role on a least-privilege basis, and customer data is isolated per account/workspace.
Monitoring, Logging & Abuse Prevention
- Audit logging records sensitive administrative and account actions.
- Rate limiting protects authentication and API endpoints against abuse and brute-force attempts.
- Application errors and anomalies are monitored in production.
Data Handling & Privacy
- Your business data is used only to provide the service to you. We do not sell customer data.
- Public government data (opportunities, awards, entity records) is aggregated from official sources such as SAM.gov, USAspending, and state portals.
- Account data is removed on request following account closure. See our Privacy Policy for details.
Payments
Payments are processed by Stripe (PCI-DSS Level 1). GovIntel never stores full card numbers.
Subprocessors
- Railway (on Google Cloud) — app hosting + PostgreSQL — SOC 2 / ISO 27001
- Vercel — web frontend hosting — SOC 2
- Cloudflare R2 — file/document storage — SOC 2 / ISO 27001
- Stripe — payment processing — PCI-DSS L1, SOC 2
- Anthropic — AI features (proposal drafting, analysis) — SOC 2
- Microsoft / Google — SSO + optional email/calendar integration — SOC 2 / ISO 27001
- Resend — transactional email — SOC 2
Compliance Posture
GovIntel aligns its controls to NIST SP 800-171 practices where applicable and is progressing toward SOC 2 Type II as we expand our enterprise offering. We are happy to complete customer security questionnaires — just reach out.
Reporting a Security Issue
Found a vulnerability? Please email security@govintel.ai with details. We take reports seriously and will respond promptly.