Security and data handling

Privacy by architecture, not by policy.

ReqFit was built by people who have written proposals containing pricing strategy, methodology, and competitive positioning. We treat your documents the way we would want ours treated.

The data lifecycle, end to end

Data lifecycle illustration A diagram showing the buyer's requirements document and the user's proposal documents flowing into a secure processing zone, then splitting into three outputs on the right: source documents discarded, requirements list retained against the account, and the report kept for 90 days in the user's dashboard. RFP Proposal SECURE ZONE stateless · logless Source documents discarded Requirements list retained against your account Report 90 days in your dashboard

Source documents are discarded once your report is generated. The extracted requirements list is retained against your account so re-runs measure against exactly the same requirements. Reports stay in your dashboard for 90 days, with manual delete available throughout.

ReqFit holds no document store and writes no request body logs. Your proposal and the buyer's requirements document are processed in memory on Google Cloud Vertex AI, used to generate your report, then purged from runtime memory. The eight cards below break down exactly what we keep, what we discard, and why.

What we keep, what we discard

Stateless analysis

Your proposal and the buyer's requirements document are processed in memory and purged from runtime memory immediately upon report delivery. ReqFit holds no long-term document store.

Logless by design

We do not keep audit logs of document content. The system processes your files and forgets the content. Operational logs are kept for service reliability but contain no customer document text.

Requirements retained for accuracy

When you upload a buyer's requirements document, we extract the requirements list and keep it against your account. This guarantees that if you re-run a review on an improved proposal, we measure it against exactly the same requirements. The source document is deleted; only the structured requirements list is retained, and it is cleared on account deletion.

No training on your data

Customer documents are processed via Google Cloud Vertex AI under terms that prevent retention or use of prompts and outputs for model training. Your content does not improve any AI model, ours or anyone else's.

Encrypted end to end

Documents are encrypted in transit using TLS 1.3 and at rest using AES-256 within Google Cloud infrastructure for the brief moments data is held during processing. Account authentication uses passkey-grade credential handling.

UK-based and ICO registered

ReqFit is operated by CASM Labs Ltd, registered in England and Wales (company number 17115248) and registered with the UK Information Commissioner's Office (ICO registration ZC111039). We process data in accordance with UK GDPR and the Data Protection Act 2018. Read our UK GDPR data protection statement at /gdpr.

No external AI accounts required

Unlike tools that ask you to connect your OpenAI or Anthropic API key, ReqFit handles all AI infrastructure. You do not authorise external accounts, expose your own AI credentials, or share your data with multiple providers.

Payments isolated via Paddle

Paddle is our Merchant of Record, a regulated payment institution used by thousands of SaaS companies worldwide. ReqFit does not capture, view, or store payment card details. The same privacy-first principle that protects your proposal data protects your payment information.

Compliance at a glance

Working towards formal certification

We do not yet hold SOC 2 Type 2 or ISO 27001 certifications. Both are on the roadmap, but they take time to obtain honestly and we would rather build the certification properly than market it before it is real. In the meantime, our security posture is built on three things: an architecture that does not retain your source documents, the certifications held by our underlying cloud and AI platform (Google Cloud holds SOC 2, ISO 27001, and ISO 27018), and our registration with the UK ICO. Cyber Essentials self-assessed certification is in flight: our IASME readiness questionnaire is complete and we are pending final technical control remediation before submission.

If your procurement process requires SOC 2 today, we are probably the wrong tool. If it does not, you will find that stateless and logless answers most of the questions SOC 2 is designed to answer in the first place.

Security FAQs

Documents are processed in memory on Google Cloud Platform using Vertex AI. Static customer administration data (account profile, credit balance, retained requirements lists, report records) resides within European cloud infrastructure. Transient text extraction for AI inference may be routed securely across dynamic international regions selected for capacity and performance, governed by our Data Processing Agreement and the UK Extension to the EU-US Data Privacy Framework. Enterprise customers with specific data residency requirements can discuss these with us on request.

Your proposal documents and the buyer's requirements document are purged from runtime memory immediately after the report is delivered. The structured requirements list extracted from the buyer's document is retained against your account so that re-running a review on an improved proposal produces consistent, one-to-one comparable results. You can delete your account at any time, which removes all retained data including stored requirements lists.

Reports are kept in your account, viewable online with PDF and DOCX download available throughout, for ninety (90) days from generation. You can delete a review manually at any point within that window. After 90 days, reports are deleted automatically. We encourage you to download your reports while they are available; downloaded copies remain on your own device after our retention window ends.

No. We use Google Cloud Vertex AI under terms that prevent retention or use of prompts and outputs for model training. Your documents are processed only to produce your review report and are not used to improve any AI model, ours or anyone else's.

Documents are processed automatically with no human review at ReqFit. Customer support staff have no access to document content. Reports are visible to you and to any colleagues you have invited into your organisation through admin settings (see "How do team accounts handle data access?" below for detail). Reports are not visible to users outside your organisation.

Yes. ReqFit is operated by CASM Labs Ltd, registered with the UK Information Commissioner's Office under registration ZC111039 and bound by UK GDPR and the Data Protection Act 2018. Our standard Data Processing Agreement at /dpa applies automatically when you create an account. A bilateral signed copy is available on request for enterprise procurement. Read our plain-English UK GDPR statement at /gdpr for the full picture.

Account deletion removes all retained data associated with your account, including stored requirements lists from previous reviews, account configurations, and any reports still within their 90-day retention window. Reports you have already downloaded remain on your own device. Account deletion is permanent.

Our standard DPA is published at /dpa and applies automatically when you create an account. If you need a bilateral signed copy for your procurement or vendor onboarding process, contact us at security@reqfit.com and we will send you a Word version for execution. We can also countersign a DPA you provide, whichever is faster for your process.

Not yet. SOC 2 Type 2 and ISO 27001 both require a 12-month observation period and we are working towards them honestly rather than marketing them aspirationally. Our underlying platform (Google Cloud) holds SOC 2, ISO 27001, and ISO 27018, and we are pursuing Cyber Essentials self-assessed certification as the immediate trust signal pre-launch. The "Working towards formal certification" section above explains the full position.

If we identify a security incident affecting your data, we will notify you within 48 hours of detection as required by our Data Processing Agreement Clause 6 and the UK GDPR. The notification will include the nature of the incident, the categories of data affected, the likely consequences, and the measures we are taking. To report a suspected vulnerability or security concern, contact security@reqfit.com.

Team access is invite-only. The account owner invites colleagues into their organisation through admin settings; once a colleague accepts, team members can see each other's reviews. This supports workload sharing, peer review, and holiday cover. There is no automatic same-domain grouping, and reviews are never shared across organisations or with other ReqFit users.

Last updated: 25/05/2026.

Cookie Policy