Do not upload CUI, classified information, export-controlled technical data, or sensitive customer data in this MVP. BidShield AI does not certify CMMC compliance.
Security posture
Built with explicit MVP boundaries
BidShield AI is defense-adjacent software, so the public website and application keep operational limits visible. The current build is suitable for local demo and development, not production handling of controlled data.
Important MVP limitation
Do not upload CUI, classified information, export-controlled technical data, or sensitive customer data. BidShield AI does not certify CMMC compliance.
No-CUI MVP boundary
The MVP policy prohibits CUI, classified information, export-controlled technical data, and sensitive customer data. The analyzer requires explicit public-only acknowledgment, but production DLP, malware scanning, retention, and access controls are still required.
Private storage target
Production uploads are intended to use private Supabase storage buckets with metadata stored separately from file bytes.
Tenant isolation design
Tenant-scoped data models include organization_id, with helper checks in code and RLS policy notes that must be enforced before production.
Audit trail schema
The schema includes audit_logs for uploads, analyses, exports, evidence changes, profile changes, and billing events; route-level writes still need implementation.
Before production
The trust checklist is part of the product
These items are surfaced in the app and README because they are not optional for this category.
Verified official CMMC/FAR/NIST mappings
Supabase RLS policy artifact applied and tested in a live project
Security review and threat model
LLM provider retention and no-training review
Legal/compliance review
No-CUI operating policy or GovCloud/FedRAMP strategy