Privacy & Data Handling

How Axiogrid handles your data.

Federal proposal automation involves sensitive solicitation material. This page documents what we collect, where it goes, and what we never do with it.

Last updated: May 2026

01What we collect

Axiogrid is a software-as-a-service platform for generating federal proposal artifacts. We collect only what is necessary to run the pipeline and operate your account.

Data category	What it is
Uploaded documents	RFP packages you upload — typically PWS, FOPR, CDRL exhibits, Section J attachments, amendments, and optionally your company profile. Stored on encrypted persistent disk.
Pipeline outputs	Generated deliverables: BOE workbook, proposal volumes, compliance matrix, executive briefing, validation report, and similar artifacts produced by the agent pipeline.
Account information	Email address, hashed password, session tokens. No payment card data — billing is handled externally.
Usage telemetry	Pipeline run metadata: timestamps, agent execution status, error logs. Used for service reliability and debugging. No content of your proposals is included in telemetry.

02What we never do

Hard rules

We never train AI models on your data. Your uploaded documents and generated outputs are never used to fine-tune, evaluate, or otherwise improve any AI model — ours or any third party's.
We never sell or share your data with advertisers, data brokers, or marketing partners. Period.
We never read your proposals. Axiogrid staff do not access customer data except in narrow, logged, customer-authorized cases (e.g. a support ticket where you explicitly ask us to look).
We never retain data after deletion. When you delete a pipeline run or close your account, the data is purged from storage within 30 days, including backups.

03Where your data lives

Axiogrid is built on commercial-grade hosting infrastructure. We do not operate our own data centers.

Application hosting

Hosted on Render (US region), which runs on AWS infrastructure. Render is SOC 2 Type II attested. Application code, persistent storage, and database all reside within Render's controlled environment.

Static assets and DNS

The marketing site and login pages are served from Namecheap hosting. No proposal data ever touches the static-hosting environment — only the application backend on Render handles uploads and outputs.

AI agent processing

Pipeline agents call commercial LLM APIs (Anthropic) under enterprise data terms that prohibit training on customer inputs. Each call is stateless — providers receive a single prompt, return a response, and retain nothing beyond standard abuse-detection windows (typically ≤30 days).

Geographic location

All data is processed and stored in the continental United States. We do not transfer customer data outside the U.S. for any purpose.

04Encryption

In transit: All connections to axiogrid.ai use TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS.
At rest: Uploaded documents, generated outputs, and database contents are encrypted at rest using AES-256 (provided by Render's underlying storage layer).
Credentials: Passwords are hashed using industry-standard algorithms (bcrypt or equivalent). Session tokens are signed and time-limited.

05Retention and deletion

Data category	Default retention
Uploaded RFP files	Retained while the pipeline run exists. Deleted when you delete the pipeline run, or within 30 days of account closure.
Generated outputs	Same as above — tied to the pipeline run. Available for download anytime while the run exists.
Account information	Retained for the lifetime of your account. Deleted within 30 days of account closure.
Usage telemetry	Retained for up to 12 months for service reliability, then automatically purged.
Backups	Encrypted backups rotate on a 30-day cycle. Deletions propagate within one backup cycle.

You can request deletion of any pipeline run, output, or your entire account at any time by contacting us.

06Access controls

Authentication: Every page that handles your data requires sign-in. Sessions expire after a period of inactivity.
Authorization: Each pipeline run is scoped to the account that uploaded it. Other accounts cannot access your data.
Internal access: Production systems are accessible only to authorized Axiogrid engineering personnel, using multi-factor authentication. All production access is logged.
No shared production access: We do not give third-party vendors or contractors direct access to production data.

07Compliance posture

Axiogrid is built to align with the security expectations of federal contractors and the consultants who serve them.

Framework	Status
NIST SP 800-171	System Security Plan (SSP) aligned with all 110 controls. Available to enterprise prospects under NDA.
SOC 2 Type I/II	Type I assessment on roadmap. Underlying hosting infrastructure (Render) is SOC 2 Type II attested.
FedRAMP	Not currently required (Axiogrid is used by contractors as a productivity tool, not contracted directly to federal agencies). Will pursue if customer requirements arise.
CMMC	Self-assessment against Level 1 practices on roadmap. Most controls inherited from hosting infrastructure.
DFARS 252.204-7012	Aligned with safeguarding requirements for Covered Defense Information. Incident reporting process documented.

08Incident response

In the event of a security incident affecting customer data, Axiogrid commits to:

Notify affected customers within 72 hours of confirmed incident discovery, by email to the account owner.
Provide a written incident summary within 30 days, describing what happened, what data was involved, what containment was performed, and what remediation steps are being taken.
Cooperate with reasonable customer requests for additional forensic detail, including support for any onward reporting obligations the customer may have under federal contract clauses.

09Subprocessors

Axiogrid uses a small set of subprocessors to deliver the service. We maintain agreements with each that prohibit use of customer data outside of the service we have contracted them to provide.

Subprocessor	Purpose	Certifications
Render	Application hosting, database, persistent storage	SOC 2 Type II
Anthropic	LLM API for agent pipeline reasoning	SOC 2 Type II; enterprise data terms (no training on inputs)
Namecheap	DNS and static asset hosting (no customer data)	Vendor-managed

We will notify customers in advance of any material change to the subprocessor list.

10Your rights

You can, at any time and without needing to justify the request:

Download any of your pipeline outputs in their original formats.
Delete any pipeline run, removing the uploaded documents and the generated deliverables.
Request a copy of all data Axiogrid holds about your account.
Close your account, triggering deletion of all associated data within 30 days.
Ask questions about how a specific piece of data is handled.

Questions about data handling?

If your compliance or legal team needs additional detail, our System Security Plan (NIST 800-171 aligned) is available under NDA. Reach out and we will arrange the right level of disclosure.

contact@axiogrid.ai