BidQ
Your tender pricing is commercially sensitive. A leaked rate schedule or margin structure can cost you the job — or worse, give competitors an unfair advantage for years. We built BidQ with the assumption that this data is a target, and we protect it accordingly.
All data is encrypted at rest using AES-256 — the same standard used by banks and government agencies. Even if someone gained physical access to the server hardware, your data would be unreadable without the encryption keys.
All connections use TLS 1.2+ encryption. Data moving between your browser and our servers cannot be intercepted or read by anyone on the network — including on public Wi-Fi, shared office networks, or compromised routers.
Database backups are encrypted. File uploads — drawings, contracts, logos — are stored in encrypted object storage with time-limited signed URLs.
Passwords are hashed using bcrypt with per-user salts before storage. They are never stored in plain text, never logged, and never visible — not even to BidQ staff or database administrators.
If our database were ever compromised, attackers would see only irreversible cryptographic hashes. Reversing a bcrypt hash is computationally infeasible with current hardware.
Password reset uses time-limited, single-use tokens delivered to the registered email address. Old tokens are automatically invalidated.
Sessions are managed using short-lived JSON Web Tokens (JWT) with automatic refresh. Tokens expire and are re-issued regularly — a stolen token has a narrow window of validity.
Session cookies are httpOnly and secure-flagged, meaning they cannot be accessed by JavaScript or transmitted over unencrypted connections.
Logging out immediately invalidates the session server-side. Closing the browser clears session credentials.
Login attempts are rate-limited at the authentication layer. Repeated failed attempts from the same IP or against the same account trigger progressive delays and temporary lockout.
Supabase Auth (our authentication provider) enforces CAPTCHA challenges after suspicious login patterns, preventing automated credential-stuffing attacks.
Account recovery flows require access to the registered email address — password resets cannot be initiated without it.
BidQ is hosted on Amazon Web Services (AWS) via Supabase. AWS data centres hold SOC 2 Type II certification and ISO 27001 accreditation, with 24/7 physical security, biometric access controls, and dedicated security monitoring teams.
The application layer runs on Vercel's globally distributed edge network with built-in DDoS protection, automatic TLS certificate management, and deployment isolation.
The database is PostgreSQL with automated daily backups, continuous write-ahead log archiving for point-in-time recovery, and automatic failover. In the event of hardware failure, your data can be restored to any point in the preceding 30 days.
Every connection to BidQ is encrypted — there is no unencrypted HTTP access. All requests are automatically redirected to HTTPS with HSTS headers that instruct browsers to never attempt an insecure connection.
API endpoints, file uploads, drawing viewers, and shared tender links all enforce TLS. There is no pathway to transmit or receive data in the clear.
Every organisation's data is logically isolated at the database level using PostgreSQL Row Level Security (RLS). This is enforced by the database engine itself — not application code — and applies to every query, insert, update, and delete.
In the unlikely event of a breach, an attacker who gained access to one account could not access another company's data. Each organisation's tenders, pricing, takeoff measurements, variations, and rate history are in completely separate security domains.
Shared tender links use revocable, optionally password-protected tokens with configurable expiry dates. Viewers see only what you choose to share — they never gain access to your account, pricing build-up, or other projects.
All secret keys, service credentials, and database access tokens are stored exclusively on the server side. They are never included in client-side JavaScript bundles, never exposed in browser developer tools, and never sent to the user's device.
The browser receives only the minimum data needed to render the current view. Pricing data, rate history, and tender details are fetched on demand and scoped to the user's permissions.
BidQ is designed to align with the New Zealand Information Security Manual (NZISM) and handles personal information in compliance with the Privacy Act 2020.
We do not sell, share, monetise, or use your data for any purpose other than providing the BidQ service to you. Your pricing data is yours.
Data can be exported or permanently deleted on request. Account deletion removes all associated tenders, measurements, pricing, and file uploads.
Questions about security, compliance, or data handling? We are happy to discuss your requirements in detail.