TRUST · SECURITY · COMPLIANCE

Your bids are your edge.
Here's how we keep them yours.

Construction estimating data — drawings, BOQs, labour coefficients, supplier prices — is some of the most commercially sensitive information a contractor owns. A leak isn't a privacy incident; it's a competitive disaster. We built bidyou.ai with that reality at the centre. This page explains how.

How we protect your data

No third-party LLM training

Inference runs on local Ollama models (Qwen3 family) on EU infrastructure or on your own GPU. Your drawings, price lists and bid history never reach OpenAI, Anthropic, Google or any third-party LLM API — period. We do not train shared models on customer data.

Encryption everywhere

TLS 1.2+ in transit (PCI-DSS-grade cipher suite, AEAD-only). AES-256 at rest for project files, embeddings, and database. Encryption keys rotated annually. Backup volumes encrypted with separate keys.

Tenant isolation

Each customer has its own ChromaDB vector namespace, its own database schema, and its own object storage prefix. Cross-tenant access is impossible by design — not just policy. Embeddings and price models from one customer cannot influence another's outputs.

Role-based access + audit

Admin / Estimator / Viewer roles per project. SSO (SAML 2.0 / OIDC) on Pro and above. Mandatory 2FA on admin accounts. Every action — file upload, bid edit, export — written to an append-only audit log retained for 2 years.

One perimeter. One operator.

Production runs on CRM-Line-owned hardware in Estoril, Portugal — not on AWS, not on Azure, not on a US cloud. There is no FISA 702 exposure, no CLOUD Act exposure, no shared-tenancy surprise. The same EU operator who signs your DPA owns the rack the data sits on.

Data portability + deletion

Export anytime: original files, structured bid data (CSV, JSON), full audit log. Account closure: 30-day grace period, then permanent purge of project data, embeddings, and backups within 90 days. We provide a written deletion certificate on request.

The data path, end-to-end

  1. 01

    Upload

    You upload drawings (PDF, DWG, IFC) and specs over TLS 1.2+. Files land in your tenant-isolated object store, encrypted at rest with AES-256 before being written to disk.

  2. 02

    Parse + extract

    YOLOv11 detects line items, PaddleOCR extracts text, sentence-transformers embed each entity. All inference runs on local GPUs in our Estoril rack. No third-party LLM API ever sees your files.

  3. 03

    Match against your private price model

    Embeddings are written to your ChromaDB namespace. The matching engine queries only your own historical bids, your own price lists, your own labour coefficients. Cross-tenant access is impossible at the database level.

  4. 04

    Estimator review

    Output is presented to your estimator with provenance for every line. They accept, edit or override. All actions hit the audit log.

  5. 05

    Export + retention

    You export to your own systems (XLSX, CSV, PDF, IFC). Files retained according to your plan's retention policy. Account closure triggers a 30-day soft-delete then permanent purge within 90 days, including backups.

Subprocessors

We list every third party that processes data on our behalf. We notify customers 30 days before adding a new subprocessor.

Subprocessor Purpose Location · scope
CRM-Line, Lda. Sole operator + hosting. Production servers, GPU inference, database, backups, mail. EU (Estoril, Portugal). Owns and operates the physical infrastructure.
Cloudflare, Inc. Marketing site only — CDN, DNS, anti-spam (Turnstile), cookieless web analytics. Global edge — scope limited to bidyou.ai marketing pages. No customer bid data, drawings, pricing or credentials ever pass through Cloudflare.
Stripe Payments Europe, Ltd. Subscription billing (Pro tier and above). EU (Ireland) — receives billing data only (name, email, VAT, card token via Stripe.js). Never receives bid data.

What we run on ourselves today

We're not waiting for an ISO 27001 certificate to operate like one. Here's the security and observability stack already in production — the same one CRM-Line operates for itself and for managed-service customers.

HackerGuardian PCI DSS scans

Quarterly external ASV vulnerability scans against the public-facing attack surface. CRM-Line passes them to maintain its own PCI compliance — bidyou.ai inherits that scrutiny.

Greenbone Vulnerability Manager (GVM)

Internal authenticated vulnerability scanning of every server in our perimeter. Daily scans, weekly review, CVSS-prioritised remediation tracked in GLPI tickets.

Wazuh

SIEM + HIDS across all production hosts. File-integrity monitoring, log aggregation, MITRE ATT&CK detection rules, real-time alerting on anomalies. Logs retained 12 months.

Zabbix

Infrastructure observability — service availability, resource usage, certificate expiry, mail-queue health. Pages on-call (one-person rotation) within 60 seconds of an incident.

GLPI

Asset inventory + CMDB + ticketing. Every change to production is opened as a GLPI change-request, reviewed, and traceable. Required input for ISO 27001 Annex A.8 (asset management).

Annual external penetration test

Independent third-party offensive assessment of the bidyou.ai application surface — black-box and authenticated. Executive summary available under NDA. First test scheduled before GA.

Certification roadmap

Honesty over theatre: we publish what we have, what we're working on, and when. Customer audit questionnaires are answered by the founder, not by a sales team.

  1. Now GDPR-native architecture · Subprocessor list public · 72h breach-notification process · Quarterly PCI DSS ASV scans (HackerGuardian) · GVM + Wazuh + Zabbix + GLPI in production
  2. Before GA (Q3 2026) DPA template (GDPR Art. 28) finalised and signable · First annual external pentest · Pre-answered CAIQ-Lite + SIG-Lite security questionnaires
  3. Q4 2026 Documented ISMS — policies, runbooks, BCP/DR plan, asset inventory, risk register (foundation for any future ISO 27001 audit)
  4. Q2 2027 Cyber Essentials Plus — entry-level technical-controls cert (enables UK gov + corporate procurement)
  5. 2028+ ISO 27001 certification — full ISMS audit including physical site. We commit to it once revenue justifies the audit cost (we own the data centre, so the scope is broader and we will not pursue this prematurely)
  6. 2029+ SOC 2 Type II — gated to US-market entry strategy. The B2B contractor side targets EU first; SOC 2 is pursued only when a US-customer pipeline justifies the audit cost.

Documents on request

  • Data Processing Agreement (DPA) — GDPR Art. 28-compliant template. Available before first project upload (finalising in Q3 2026 for general availability)
  • Security questionnaire — pre-answered (CAIQ-Lite, SIG-Lite formats supported)
  • Subprocessor list — versioned, with change-notification opt-in
  • Architecture diagram — production data-flow with encryption boundaries and physical-site description
  • Penetration test summary — first external test scheduled before GA; executive summary available under NDA after that point

Request any of these at security@bidyou.ai.

Security disclosures

Found a vulnerability? Email security@bidyou.ai. We respond within 48 hours and follow coordinated disclosure. We do not pursue legal action against good-faith security research.

Want to evaluate bidyou.ai with your own data?

Free for the first 3 projects. DPA available before upload.

✓ You're on the list. We'll be in touch shortly.