The single readable answer to every CIO security questionnaire. If you need formal documentation (DPA, SCCs, security posture attestation), reply directly to your account contact and we’ll turn it around inside one business day.
Every page load issues a unique CSP nonce that flows through Next.js framework scripts. Currently in report-only mode while we verify clean telemetry; flipping to enforce mode is a one-env-var change once the 24-48h observation window is clean.
Every state-changing /api/* request runs an Origin/Referer same-origin check before the route handler. Webhook endpoints (Stripe, intel ingest) and NextAuth callbacks are exempted with their own non-cookie auth.
AuditLog rows captured on admin login, role changes, application approve/reject, provider/lobbyist suspension, Stripe Connect onboarding completion. 365-day retention; super_admin queryable.
TOTP MFA + bcrypt-hashed backup codes are shipped on admin / provider / lobbyist login paths. Currently disabled via the MFA_ENABLED env flag (operator decision). Flipping to true restores enforcement for every previously-enrolled user — no re-enrollment required.
Every Trust Services Criterion mapped to its current implementation. Auditor scoping call targeted for 2026-06-15. Type 2 fieldwork begins 2027-Q2 once Type 1 has been live for 6 months.
SOC 2 readiness pageCurrently evaluating FedRAMP Tatkal eligibility vs. full Moderate authorization. Sponsor-agency conversations open. The customer ICP that asks for FedRAMP first will dictate which path we pursue.
Org admins can self-serve a full data export (Art. 20) or initiate a soft-delete with 30-day grace period (Art. 17). Both shipped, both audited.
Every new account is screened against the OFAC SDN list and BIS Entity List at registration time. Sanctioned-counterparty cases are flagged for human review before account activation.
Your full capability profile, teaming intent, messages, draft proposals, target solicitations, and readiness history are visible only to seats inside your organization. Bridger staff cannot read them without an explicit support request you initiate.
Read the data-governance essayDemand signals exposed to providers are aggregated to bands of 10+ accounts. No single-account-attributable data is shared with primes, providers, lobbyists, or third parties.
Sell your data. License it. Share it with advertisers or commercial intelligence services. Provide bulk exports to anyone outside your organization without your in-writing authorization. Use your data to train external AI models.
Vercel (hosting), Neon (Postgres), Stripe (payments), Resend (email), Anthropic (LLM inference for proposal-agent). Full table with DPA links + data residency notes coming to /trust/sub-processors.
DPA, SCCs, sub-processor list, security questionnaire response, or a custom enterprise security review. Reply to your account contact or email Hassan directly.