How does ReqFit keep my bid documents secure?

Your documents are encrypted end to end, deleted once your report is generated, and never used to train AI models. ReqFit's operating company is Cyber Essentials certified, the UK government-backed standard that independently verifies these security controls are in place.

What is Cyber Essentials and who awards it?

Cyber Essentials is a UK security certification developed by the National Cyber Security Centre and administered by IASME. It verifies five core technical controls that protect against the most common cyber attacks. It is the baseline standard the UK government requires of many of its own suppliers.

Does ReqFit use my proposal to train its AI?

No. ReqFit never uses your uploaded documents to train AI models. Your files are processed only to generate your review report, then cleared from the system. This is confirmed in our terms and underwritten by our Cyber Essentials certification.

How long does ReqFit keep my documents?

Your source documents are cleared from the system once your report is generated. Completed reports stay available in your account for 90 days, after which they are automatically deleted. You can delete any report manually at any time within that window.

ReqFit is now Cyber Essentials certified

The short version

ReqFit’s operating company, CASM Labs Ltd, was awarded Cyber Essentials certification on 27 May 2026, the UK government-backed security standard developed by the National Cyber Security Centre.
The certification matters because you upload your most confidential commercial documents to ReqFit: live bids, pricing, and the strategy you are using to beat named competitors.
Cyber Essentials independently verifies the five technical controls that protect your data: firewalls, secure configuration, security updates, access control, and malware protection.
Your documents are encrypted end to end, deleted after your report is generated, and never used to train AI models. The certification confirms the discipline behind those commitments.

You are trusting us with documents you would not email

Think about what is actually inside the files you upload to a proposal review tool. Your draft response to a live tender. Your pricing. The strategy you are using to beat named competitors. In many cases, a requirements document the buyer has not made public yet.

These are not ordinary files. They are the documents you would hesitate to forward in an unencrypted email. So when you upload them to an AI tool, the only sensible question is whether you can trust the company behind it.

That question deserves a better answer than a reassuring paragraph on a privacy page. It deserves independent verification. As of 27 May 2026, ReqFit has it.

What we achieved

CASM Labs Ltd, the company behind ReqFit, has been awarded Cyber Essentials certification by IASME, the body that administers the scheme on behalf of the UK government.

Cyber Essentials is the security standard developed by the National Cyber Security Centre, part of GCHQ. It is the baseline the UK government requires of its own suppliers for many contracts.

Cyber Essentials is not a logo you can buy. It is an assessment you have to pass, against a defined set of technical controls, marked by an independent certification body.

What Cyber Essentials actually checks

The scheme verifies five technical controls. Each one maps to a way attackers get into systems, and each one has to be demonstrably in place for the certification to be awarded.

Firewalls. The boundary between our systems and the internet is configured to block what should be blocked.

Secure configuration. Systems and devices are set up to reduce vulnerabilities, rather than left on insecure default settings.

Security update management. Software is kept patched, because unpatched software is one of the most common ways in.

User access control. People can reach only the data their role requires, and administrative access is tightly held.

Malware protection. Active defences against malicious software across every device in scope.

None of these are exotic, and that is the point. Most breaches do not happen because of sophisticated attacks. They happen because a basic control was never put in place. Cyber Essentials exists to confirm the basics are genuinely covered.

What it means for your documents

Here is the part that matters to you rather than to a compliance auditor.

When you upload an RFP and your draft response to ReqFit, three things are true, and the certification underwrites the discipline behind all of them.

Your documents are encrypted end to end. Your source files are cleared from the system once your report has been generated, not held indefinitely. And we never use your documents to train AI models, full stop.

The certification does not change those commitments. It independently confirms that the company making them runs with the security discipline to keep them.

The bigger picture

More than any single control, the certification is a statement of intent. We are asking you to trust us with commercially sensitive documents. The least we can do is prove, independently, that we take that trust seriously.

If you want to understand more about why a purpose-built review tool handles your documents differently from a general AI chatbot, our piece on Why a general AI tool cannot review your proposal goes into the detail. And if you are weighing up whether to review before you submit at all, the real cost of one missed requirement makes the case plainly.