Enterprise Security

Enterprise Security Built for European Procurement Teams

Your tender data, proposal content, and competitive intelligence deserve the highest level of protection. Bidovate is built from the ground up to meet the rigorous security and data protection requirements of European organisations.

SOC 2 Type IICertified
ISO 27001Certified
ISO 27017Certified
GDPRCompliant
EU AI ActReadiness Programme
Cyber EssentialsPlanned

Bidovate maintains an active compliance programme aligned with the standards European organisations depend on. Our certifications are independently audited and continuously monitored.

GDPR Compliance

Full GDPR Compliance, By Design and by Default

Bidovate is fully compliant with the General Data Protection Regulation (GDPR). Data protection is embedded into every layer of our platform architecture and organisational processes.

Lawful Basis for Processing: Processing is carried out under contractual necessity and legitimate interest. Consent is obtained where required.
Data Controller / Data Processor: Bidovate acts as a Data Processor on behalf of our customers (Data Controllers). Our Data Processing Agreement (DPA), compliant with GDPR Article 28, is available upon request.
Data Protection Officer (DPO): Bidovate has appointed a dedicated Data Protection Officer. Contact: dpo@bidovate.co
Data Subject Rights: Full support for access, rectification, erasure, portability, restriction, and objection requests. Requests are fulfilled within 30 days.
Data Minimisation: We collect and process only the data strictly necessary to deliver our services.
Data Breach Notification: Supervisory authorities are notified within 72 hours of becoming aware of a breach. Affected data subjects are notified without undue delay.
Cross-Border Transfers: No customer data is transferred outside the EU/EEA. Where transfers are necessary, Standard Contractual Clauses (SCCs) and supplementary measures are in place.
Records of Processing Activities (ROPA): Comprehensive records of processing activities are maintained and available for audit.
Privacy Impact Assessments: Data Protection Impact Assessments (DPIAs) are conducted for all high-risk processing activities.

EU AI Act

Prepared for the EU AI Act

Bidovate is proactively preparing for the EU AI Act. Our AI systems are designed with transparency, human oversight, and accountability at their core.

Risk Classification: Bidovate's AI features are assessed against the EU AI Act risk categories. We maintain documentation of all AI system risk assessments.
Transparency: Users are clearly informed when they are interacting with AI-generated content or recommendations.
Human Oversight: All AI outputs are presented as recommendations. Final decisions remain with human users at all times.
Technical Documentation: Full technical documentation of our AI systems is maintained in accordance with EU AI Act requirements.

Data Protection

Your Data, Fully Encrypted, Always

Bidovate employs defence-in-depth encryption across every layer of the platform.

Encryption at Rest: All customer data is encrypted using AES-256, an internationally recognised encryption standard.
Encryption in Transit: Every connection to Bidovate is secured with TLS 1.3, ensuring data cannot be intercepted during transmission.
Encryption Key Management: Encryption keys are managed through a dedicated key management service with automatic rotation, strict access controls, and full audit trails. For on-premise deployments, customers can manage their own encryption keys.

No unencrypted customer data is ever stored or transmitted.

Access Control

Granular Control Over Who Sees What

Role-Based Access Control (RBAC): Define precisely which team members can view, edit, or manage tenders, proposals, and pipeline data. Permissions are fully configurable by role and by project.
Multi-Factor Authentication (MFA): MFA is enforced across all accounts. We support authenticator apps, hardware security keys, and SMS-based verification.
Single Sign-On (SSO/SAML): Integrate Bidovate with your existing identity provider, Okta, Azure AD, Google Workspace, or any SAML 2.0 provider, for seamless, centralised access management.
Session Management: Configurable session timeouts, automatic lockout after failed attempts, and the ability to revoke active sessions remotely.
IP Whitelisting: Restrict platform access to approved IP addresses or ranges, ensuring only authorised networks can connect.

AI & Data Privacy

AI That Respects Your Data Boundaries

Bidovate uses AI to help you find, analyse, and respond to tenders faster. We take an uncompromising approach to how your data is handled within our AI systems.

Zero Model Training on Customer Data: Your tender data, proposal content, and documents are never used to train or fine-tune any AI model, full stop.
Isolated Processing: All AI inference happens in isolated, ephemeral environments. Your data is processed and discarded; it is never pooled with other customers' data.
No Data Sharing: Customer data is never shared with third-party AI providers, partners, or any external party.
Data Deletion on Request: You can request complete deletion of your data at any time. Deletion is permanent and verified, in full compliance with GDPR Article 17 (Right to Erasure).

On-Premise Deployment

Deploy Bidovate Behind Your Own Firewall

For organisations that require complete control over their data environment, Bidovate offers a full on-premise deployment option.

Self-Hosted Infrastructure: Run Bidovate entirely within your own data centre or private cloud. No data leaves your environment.
Air-Gapped Environments: Bidovate supports fully air-gapped deployments for organisations operating in restricted network environments.
Customer-Managed Encryption Keys: Maintain full ownership and control of all encryption keys. Bidovate never has access to your keys in an on-premise deployment.

No other procurement intelligence platform offers on-premise deployment. Bidovate is the only platform of its kind that gives you the option to keep every byte of data within your own infrastructure.

Infrastructure

Built on European-Hosted Infrastructure

EU-Hosted Infrastructure: Bidovate's cloud infrastructure is hosted entirely within the European Union, ensuring full data sovereignty for EU customers.
EU Data Residency: All customer data is stored and processed exclusively within EU data centres. No data is transferred or replicated outside the EU/EEA.
Redundancy: Multi-availability-zone architecture ensures high availability and resilience against localised failures.
Backup: Automated daily backups with point-in-time recovery. Backups are encrypted and stored in geographically separate EU regions.
Disaster Recovery: Documented disaster recovery plan with defined RPO and RTO targets. Regular DR drills are conducted and results are documented.

Audit & Monitoring

Complete Visibility Into Platform Activity

Comprehensive Audit Logs: Every user action, API call, configuration change, and data access event is logged with full detail, who, what, when, and where.
Real-Time Monitoring: Continuous monitoring of infrastructure, application, and network layers with automated alerting for anomalous activity.
Penetration Testing: Independent third-party penetration tests are conducted at least annually. Results and remediation actions are documented.
Vulnerability Scanning: Automated vulnerability scanning runs continuously across all platform components, with critical findings addressed within defined SLA windows.

Incident Response

Prepared, Transparent, Accountable

Defined SLA: Bidovate maintains a documented incident response plan with defined severity levels and response time SLAs. Critical incidents are acknowledged within 1 hour.
Communication Procedures: Affected customers are notified promptly via email and in-app notification. Status updates are provided at regular intervals throughout the incident lifecycle.
GDPR Breach Notification: In the event of a personal data breach, supervisory authorities are notified within 72 hours and affected data subjects are notified without undue delay, in accordance with GDPR Articles 33 and 34.
Post-Incident Review: Every security incident undergoes a thorough post-incident review. Root cause analysis and corrective actions are documented and shared with affected customers upon request.

Compliance Roadmap

Where We Are and Where We're Headed

Bidovate maintains an active, evolving compliance programme. Here is our current status across key frameworks.

FrameworkStatusDetails
SOC 2 Type IICertifiedIndependently audited annually. Covers security, availability, and confidentiality.
ISO 27001CertifiedInformation security management system (ISMS) certified.
ISO 27017CertifiedCloud-specific security controls certified.
GDPRCompliantFull compliance with all GDPR requirements. DPA available upon request.
EU AI ActReadiness ProgrammeProactive alignment with EU AI Act requirements ahead of enforcement deadlines.
Cyber EssentialsPlannedCertification planned for the UK market.

EU AI Act compliance is part of our active readiness programme. Cyber Essentials certification is planned for the UK market. We will update this page as our compliance programme progresses.

Have security questions?

Reach our security team directly. We respond within one business day.

Security team
security@bidovate.co

Our security team responds within one business day.

Book a Demo

See Bidovate's security architecture in action with a personalised walkthrough.

Last updated: June 2026