Security & Compliance Overview

Your data stays in your own storage

GovDraft does not act as long term storage for your proposal files. When you work on a solicitation, GovDraft parses it inside a secure, isolated workspace, then sends all exports directly to your connected storage:

• Google Drive
• Dropbox

Exports are written into an auto-organized folder structure in your own account:

/GovDraft/YYYY/MM

After export, GovDraft does not keep a permanent copy of the file on its own servers.

What GovDraft stores

To power your dashboard, analytics, and workspace, GovDraft keeps only lightweight metadata, not your full proposal content. This includes:

• Project and proposal titles
• NAICS tags and basic classification
• Export and usage analytics (counts and timestamps)
• Branding toggle status per workspace
• High level proposal metadata such as due dates or volume names

GovDraft does not keep a long term, indexable store of your full solicitation or proposal text. Content used for drafting lives in a short lived, encrypted parsing cache.

Temporary parsing cache (7 day window)

When you upload a solicitation, GovDraft creates a temporary parsing workspace to extract Sections L and M, build your Compliance Matrix, and support drafting. This workspace:

• Lives in an isolated Supabase storage bucket
• Is encrypted at rest and never publicly exposed
• Is used only for compliance parsing and drafting
• Is automatically cleared on a rolling 7 day schedule

The goal is simple: you can refresh your browser or come back during the week, but GovDraft does not keep indefinite copies of your source documents.

Data retention and archive options

GovDraft follows a clear retention policy for the metadata it stores:

• After cancellation, workspace metadata is retained for 1 year by default.
• Before deletion, GovDraft provides a 30 day warning window.
• An optional 3 year Extended Archive Plan is available as a paid add on to preserve access to your metadata and export history.

Your actual documents remain in your own Google Drive or Dropbox. You control how long they are kept, shared, or deleted.

Authentication and access control

GovDraft uses standard, battle tested authentication and authorization patterns:

• Sign in with Google and Microsoft via OAuth providers
• Supabase Row Level Security (RLS) to ensure each user can only access their own data
• Session based validation for all private API routes, with service role keys used only on the backend
• No public API that exposes proposal or solicitation data

All communication with GovDraft uses HTTPS, and sensitive tokens are stored and refreshed securely server side.

AI model usage

GovDraft uses AI models to help parse solicitations and draft proposal language. Those models see only:

• The text you upload or paste into GovDraft
• The draft content you choose to generate or edit
• Structured metadata you provide about your company

GovDraft does not use your content to train public models or build unrelated datasets. Drafts and solicitations are processed to serve your workspace only.

Compliance focused by design

GovDraft is built around compliance rather than generic document editing. Core design choices include:

• Zero hallucination rules for proposal generation and compliance matrices
• Closed world drafting that relies on your solicitation and company data
• No public sharing links. You decide how and where documents are shared.
• Export naming and folder structure designed for audits and APEX/SBA advisor workflows

GovDraft is not a cloud file cabinet. It is a controlled drafting workspace that hands long term storage and sharing back to you.