AutoRFP Security Exhibit

AutoRFP.ai Security Exhibit

This Security Exhibit (“Exhibit”) describes the technical and organizational security measures implemented by AutoRFP.ai Pty Ltd (“AutoRFP”) to protect Customer Data Processed in connection with the AutoRFP Platform.


This Exhibit is incorporated into the Main Agreement by and between AutoRFP and Customer. Capitalized terms not defined herein shall have the meaning set forth in the Main Agreement or the Data Processing Addendum.


1.0 Information Security Program

AutoRFP maintains a comprehensive written information security program (“ISP”) designed to protect the confidentiality, integrity, and availability of Customer Data. The ISP is based on industry-standard frameworks (including ISO 27001:2022 and SOC 2) and is reviewed and updated at least annually or in response to significant changes in the threat landscape. The program includes:

  • Governance: A dedicated security team responsible for the development, implementation, and management of the ISP.

  • Risk Management: A formal risk assessment process to identify, analyze, and mitigate information security risks to AutoRFP and its customers.

  • Policy Framework: A set of documented information security policies and procedures that are communicated to all personnel. Key policies include, but are not limited to: Acceptable Use, Access Control, Data Classification and Handling, Encryption, Incident Response, Secure Development, Physical Security, and Third-Party Risk Management.


2.0 Security Controls


2.1. Personnel Security

  • Background Checks: Background verification checks are conducted for all new employees in accordance with local laws.

  • Confidentiality: All personnel are required to sign confidentiality agreements as a condition of their employment.

  • Security Training: Personnel undergo mandatory security awareness training upon hiring and on an annual basis thereafter.


2.2. Access Control

  • Least Privilege & RBAC: Access to systems that Process Customer Data is granted based on the principle of least privilege and role-based access control (RBAC). AutoRFP granularly controls access to application resources, meaning all URLs and API endpoints are limited to only those users who require such access.

  • Authentication: Multi-Factor Authentication (MFA) is required for all access to production systems, critical infrastructure, and internal applications, enforced via Single Sign-On (SSO). AutoRFP supports SSO integration with Google and Microsoft.

  • Access Reviews: User access rights to production environments are reviewed on a regular basis (at least quarterly) and revoked promptly upon termination of employment or change in role.

  • Session Management: Automatic session timeouts are implemented to reduce the risk of unauthorized access from unattended devices.


2.3. Data Encryption

  • Encryption in Transit: All Customer Data transmitted over public networks (e.g., between the customer and the Platform) is encrypted using Transport Layer Security (TLS) version 1.2 or higher.

  • Encryption at Rest: All Customer Data stored within the Platform’s production environment is encrypted at rest using industry-standard encryption algorithms (e.g., AES-256). Workstation and laptop hard drives are also encrypted.


2.4. Application Security

  • Secure Software Development Lifecycle (SDLC): AutoRFP follows a formal SDLC process that integrates security at every stage, including secure design reviews, threat modeling, and secure coding practices.

  • Data Separation: Measures are implemented to ensure data collected for different purposes can be processed separately. This includes logical separation at the application and database level (e.g., separate API endpoints and database schemas for different services) to enforce clear boundaries in data processing.

  • Vulnerability Management: AutoRFP performs regular vulnerability scanning of its application and infrastructure. Identified vulnerabilities are tracked, prioritized, and remediated based on severity within defined service level agreements.

  • Penetration Testing: AutoRFP engages independent third-party security firms to conduct penetration tests of the Platform at least annually. Attestation to these reports can be made available to customers upon request and under a non-disclosure agreement.


2.5. Network and Infrastructure Security

  • Cloud Infrastructure: The Platform is hosted on leading cloud infrastructure providers (e.g., Amazon Web Services, Google Cloud Platform) that maintain state-of-the-art physical and environmental security controls and certifications (e.g., SOC 2, ISO 27001, ISO 27017).

  • Network Protection: Production environments are logically isolated from non-production environments. AutoRFP deploys protective technologies including firewalls, web application firewalls (WAF), intrusion detection systems (IDS), and DDoS mitigation services.

  • Endpoint Security: Company devices are managed via Mobile Device Management (MDM) software, configured with anti-virus software, firewalls, endpoint detection and response (EDR), and automatic desktop locking.

  • Logging and Monitoring: AutoRFP maintains a robust logging system that records key events across its infrastructure, including user access, system changes, and network activity. Logs are monitored in real-time to detect and respond to potential threats. The integrity of log data is protected through secure storage and access controls.


3.0 Security Incident Management

AutoRFP maintains a formal Security Incident Response Plan that defines the procedures for detecting, responding to, and recovering from Security Incidents. In the event of a Security Incident affecting Customer Data, AutoRFP will notify affected Customers in accordance with the terms of the Data Processing Addendum.


4.0 Third-Party Risk Management

AutoRFP maintains a risk-based program to assess the security posture of its third-party vendors and Sub-processors. This process includes initial security due diligence and ongoing monitoring to ensure that vendors continue to meet AutoRFP's security requirements. A current list of Sub-processors is maintained at https://autorfp.ai/trust/subprocessors.


5.0 Business Continuity and Disaster Recovery

AutoRFP maintains a Business Continuity and Disaster Recovery Plan designed to ensure the availability of the Platform in the event of a significant disruption. This includes regular data backups, failover testing, and geographically redundant infrastructure.


6.0 Audits and Certifications

AutoRFP maintains industry-standard security certifications and attestations to demonstrate the effectiveness of its security controls. Information about our compliance program, including access to audit reports (e.g. ISO 27001), is available through the AutoRFP Trust Center (https://autorfp.ai/trust) or can be provided to customers upon request under a non-disclosure agreement.


7.0 Customer Responsibilities

Customer is responsible for: (a) securely managing user accounts, credentials, and access rights within the Platform; (b) the accuracy and legality of all Customer Data; and (c) configuring the Platform’s security features as appropriate for its use case.


8.0 Updates to Security Measures

AutoRFP may update or modify these Security Measures from time to time, provided that such updates or modifications do not result in a material degradation of the overall security of the Platform.

For security questions, please contact security@autorfp.ai .