Your tender documents are commercially sensitive. We treat them that way.
Construction bids contain proprietary methodology, pricing signals, and supplier relationships. Here is exactly how Tendee protects that information.
Complete data isolation
Every query to the database is scoped to your firm by user ID and enforced by Supabase Row Level Security. No one — including Tendee staff — can query another firm's corpus, drafts, or documents.
Never trained on your data
Your uploaded documents and drafted responses are used only for retrieval and generation during your sessions. Neither Anthropic nor OpenAI train their models on API input.
Encrypted at rest and in transit
Supabase encrypts all data at rest on managed Postgres. All traffic between your browser, Vercel, and our database travels over HTTPS/TLS. There is no unencrypted path.
Secure authentication
Sessions are managed via Supabase Auth using signed JWTs with short expiry. We support email/password and magic-link sign-in. No third-party OAuth tokens are stored.
Rate-limited AI endpoints
Every AI generation and extraction endpoint is rate-limited per user. This prevents abuse, controls inference spend, and ensures consistent availability across all firms.
Minimal AI data retention
Anthropic and OpenAI's enterprise API terms give zero data retention by default — your prompts and document content are not logged or stored by either provider beyond the duration of the request.
Infrastructure transparency
Tendee is built entirely on established, audited cloud providers. No proprietary infrastructure, no hidden data flows.
Postgres + pgvector hosted in the AWS ap-southeast-2 (Sydney) region. Row Level Security enforced at the database layer. SOC 2 Type II.
Next.js App Router on Vercel's global edge network. Environment secrets managed via encrypted Vercel environment variables. ISO 27001 certified.
Used for tender response generation and requirement extraction. API access only — Anthropic does not train on API inputs. Data is not retained beyond the request.
text-embedding-3-small used to embed your corpus for semantic search. API access only — OpenAI's zero data retention policy applies to API customers.
Common questions
Can Tendee employees read my documents?
No. Database access controls and Row Level Security mean even Tendee's own engineers cannot query your firm's data without explicit superuser escalation, which is logged and audited.
Is my tender content used to improve AI models?
Never. Your corpus, drafts, and prompts are not used for model training by Tendee, Anthropic, or OpenAI. This is guaranteed by the enterprise API terms of both providers.
Where is my data physically stored?
Your Postgres database (documents, drafts, embeddings) is hosted on Supabase in the AWS Sydney (ap-southeast-2) region. Application code runs on Vercel's edge globally, but no persistent data lives there.
What happens to my data if I cancel?
Your data remains accessible for export for 30 days after cancellation. After that it is deleted from all production systems. Backups are purged within 90 days.
Do you have a penetration test or SOC 2 report?
We're an early-stage product. Our infrastructure providers (Supabase, Vercel) carry SOC 2 and ISO 27001 certifications. We're planning our first application-level pen test for Q3 2026. Email us if you need details for a procurement assessment.
Have a specific security requirement?
If you need a security questionnaire completed, a DPA signed, or want to discuss single-tenant deployment, get in touch.