Security

Overview

BIDS handles federal and state contracting profiles for small businesses, including identifiers like your EIN, UEI, and CAGE code, plus your capability statement, past performance, and active applications. We treat that data as sensitive and design BIDS to keep it that way.

This page is a plain-language summary of how we protect your account and data. For detailed legal terms see our Privacy Policy and Terms of Service.

Authentication and account access

Sign-in is handled through a managed identity provider. You can sign in with Google, Microsoft, or a one-time link sent to your email — BIDS never stores or sees your provider password.

Optional two-factor authentication (2FA). Every BIDS user can enable time-based one-time passwords (TOTP) using a standard authenticator app. Once enabled, a 6-digit code is required at every sign-in. You can turn 2FA on or off from your account settings on the Profile page.

Account sessions that have not completed multi-factor verification are time-limited and terminate automatically without action. We do not use SMS-based factors because of the well-documented risks of SIM-swap attacks.

Encryption and sensitive data

All traffic to and from BIDS uses HTTPS with current transport encryption. Sensitive identifiers — including your EIN — are encrypted at rest using industry-standard authenticated encryption, and the encryption key is stored in a managed secrets store separate from application code. EIN and similar identifiers are decrypted only during short-lived server-side processing and are never returned to the browser as plaintext except through dedicated, audited “copy-to-clipboard” flows that you explicitly trigger.

We never store your card number or full payment credentials. Subscription billing is handled by Stripe under their own PCI-compliant processing.

Account isolation

Every record in BIDS is bound to your user identity at the database level. Other BIDS users cannot read, modify, or list your business profile, applications, saved opportunities, or notifications. Server-side endpoints check your identity on every request before reading or writing data on your behalf.

Integrations

BIDS pulls public opportunity data from sources like SAM.gov, Grants.gov, USASpending, and state procurement systems. These integrations only retrieve information — they do not send your business data to those systems unless you initiate a submission.

Webhooks from third-party services (such as billing events from Stripe) are cryptographically verified before BIDS acts on them, and replayed events are detected and ignored.

Auditability and access controls

Server-side access to sensitive fields is recorded in an internal audit log alongside the timestamp, the reason for access, and a request identifier. Production access by The Freedom Project staff follows least-privilege principles and is reserved for incident response, compliance review, and direct support requests you initiate.

Submissions you sign in BIDS are recorded in a tamper-evident audit log that retains the action, the time, and a redacted snapshot of the submission so the record can be reconstructed without exposing your sensitive identifiers.

Reporting a security issue

If you believe you've found a security vulnerability, configuration weakness, or unintended data exposure in BIDS, please contact us at [email protected] with the subject line “Security Report”. Please include:

• A description of the issue and the potential impact
• Steps to reproduce, if applicable
• Any screenshots or proof-of-concept material that helps us reproduce
• Whether you would like attribution if we publish a fix summary

We commit to acknowledging legitimate reports within five business days and to keeping you informed as we investigate and remediate. We ask that researchers act in good faith, avoid privacy violations, refrain from automated scanning that would degrade service for other users, and give us a reasonable window to respond before public disclosure.

We do not currently operate a paid bug-bounty program but are happy to publicly thank researchers who help us improve BIDS.

What you can do

A few simple steps make your BIDS account materially harder to compromise:

• Enable two-factor authentication from your Profile page. It takes about a minute.
• Use a unique password on the Google or Microsoft account you sign in with, and enable 2FA there as well.
• Don't forward magic-link emails to anyone — magic links are single-use sign-in credentials.
• Sign out of shared devices when finished, particularly on hardware you don't personally control.
• Review your business profile from time to time and remove any information you no longer need on file.

Changes to this page

We may update this page as our practices evolve. The date at the top reflects the most recent material change. Substantive changes affecting how your data is protected will also be reflected in the Privacy Policy.