Security & Trust
Built on three pillars: your data deleted after delivery, no AI training, and enterprise-grade security controls.
Your bid content is removed after each engagement. We keep only what's required for legal, billing, and security obligations — nothing more.
We never use customer data for training AI models, either internally or through third-party providers. Your data remains yours, is processed in a secure, isolated environment, and is not retained by us or third parties for training purposes.
Encrypted at rest and in transit, built on Google Cloud infrastructure, aligned with ISO 27001 best practices.
We're actively working toward formal certifications. We share progress transparently while operating with strict controls around data handling, privacy, and AI governance.
We're preparing for ISO 27001 certification to provide trust in our information security management.
We're preparing for ISO 42001 certification, giving customers confidence in how we build and run AI.
We're preparing for a SOC 2 Type I audit to verify the design of our security and Adherence controls.
We operate in strict accordance with GDPR data privacy principles and EU data residency.
Independent Security Audit Report
An independently generated snapshot of the security controls we run across our code and infrastructure.
Automated technical assessment. Updated March 2026.
Our platform is built on world-class Google Cloud infrastructure, designed with multiple layers of defense to protect your data at every stage.
At Rest
All data stored in our environment is encrypted at rest using industry-standard AES-256.
In Transit
All data transmitted between you and Midpilot, and within our internal network, is encrypted using TLS 1.2 or higher.
Logical Isolation
Each client's data and analysis runs in a completely separate, logically isolated cloud environment. This architecture is designed to strictly isolate your data and mitigate the risk of cross-contamination.
European Data Residency
Our core AI processing and data storage infrastructure is configured to operate within the European Union, consistent with GDPR requirements.
World-Class Infrastructure
We build on top of Google Cloud's certified infrastructure (e.g., ISO 27001, SOC 2), inheriting their world-class physical and environmental security controls. These certifications apply to Google Cloud's infrastructure — our own organizational certifications are listed above.
Privacy-First Access by Default
Bid content is primarily processed by the AI system and delivered as reports with citations. Human access is restricted by default and limited to necessary operational or support cases under internal controls.
Principle of Least Privilege
Internal access is strictly governed by the Principle of Least Privilege. Team members are only granted access to the specific systems required to perform their roles.
Multi-Factor Authentication
All access to our internal systems and infrastructure requires multi-factor authentication.
Our service model is inherently more secure than a traditional SaaS product.
Nothing to Install
No software on endpoints. If you share files via SharePoint or OneDrive, we connect through a read-only Microsoft 365 integration—scoped only to the folders you share, with no write access and no broader tenant permissions.
No Client-Side User Management
You don't need to worry about provisioning new user accounts, managing passwords, or offboarding former employees.
A Clear, Auditable Process
The service is easy to understand and audit. There are no “black boxes.” We provide a clear and transparent data lifecycle for your data from start to finish.
We welcome and encourage deep security reviews from our clients' technical teams. If you have further questions or would like to see our detailed security documentation, please get in touch.
Request a Security Briefing