WinAContractUS

Security & trust

How we protect your data

WinAContract is US-based and US-hosted, encrypts your data in transit and at rest, and limits who can touch it. Below is a plain-English summary of how the platform is secured, who our subprocessors are, and where our compliance stands today — stated honestly.

We only state what is true today. This page describes our current security posture, not aspirations. Where we don’t yet hold a formal certification, we say so plainly and tell you to ask for our current status rather than imply something we can’t back up. If your evaluation needs documented evidence, a completed security questionnaire, or a DPA, get in touch and we’ll provide it.

The essentials

The four things most buyers and security teams ask about first. The full technical detail lives on the platform security page.

US-based & US-hosted

WinAContract is built for US government contractors and runs on US-based cloud infrastructure. Your account data and the proposals you draft are hosted in the United States.

Encryption in transit & at rest

All traffic to and from the platform is encrypted in transit over TLS (HTTPS). Data stored by the platform — your account, opportunities you save, and the documents you create — is encrypted at rest by our cloud provider.

Access control & account security

Access to your data is gated behind authenticated accounts and role-based permissions. Internal access to production systems is limited to the people who need it to operate and support the service.

Data handling & privacy

We collect only what we need to run the service and we don’t sell your data. Our practices are aligned with the principles of CCPA and the GDPR. Full detail is in our privacy policy.

Security & data practices

  • Traffic is served over HTTPS/TLS end to end — there is no unencrypted path to the application.
  • Stored data is encrypted at rest using the managed encryption provided by our US cloud host.
  • Authentication is required for every account; permissions are scoped so users only see their own organisation’s data.
  • Production access for our team is least-privilege and limited to operations and support staff who need it.
  • We minimise the personal data we hold and retain it only for as long as it is needed to provide the service.
  • You can request export or deletion of your data — see our privacy policy or contact us.

See how we collect, use, and protect personal data in our privacy policy.

Subprocessors

To run the service we rely on a small number of trusted providers. These are the categories of subprocessor we use; the current, authoritative list is available on request.

  • Cloud hosting & infrastructure

    US-based cloud platform that hosts the application, database, and encrypted storage.

  • AI model provider

    Anthropic (Claude) powers the AI drafting and analysis features. Prompts are processed to generate responses; we do not use your content to train models.

  • Email delivery

    Transactional and notification email (account, alerts, receipts) is sent via a third-party email delivery provider.

  • Payments

    Card payments and subscriptions are processed by a PCI-compliant payment provider — we do not store full card numbers.

  • Product analytics

    Consent-gated, privacy-respecting analytics used to understand and improve how the product is used.

Compliance posture

Stated honestly. We won’t claim a certification we don’t hold — where the answer is “ask us,” that’s exactly what we mean.

Privacy (CCPA / GDPR alignment)

In practice

Our data-handling practices are aligned with CCPA and GDPR principles. See the privacy policy for specifics on what we collect and your rights.

Encryption (in transit & at rest)

In place

TLS for all traffic; encryption at rest via our cloud provider.

SOC 2

Contact us for current status

We are happy to share our current security posture and roadmap under NDA. Ask us where we are before you assume — we won’t claim an attestation we don’t hold.

FedRAMP

On roadmap — contact us

WinAContract is not currently FedRAMP authorised. If FedRAMP is a requirement for your use case, talk to us so we can tell you honestly where it sits on our roadmap.

Data Processing Agreement (DPA)

Available on request

We can provide a DPA for customers who need one. Request it via the security contact below.

Full platform security details

Architecture, hosting, encryption, access controls, and operational security for the WinAContract platform are documented in depth on the platform security page.

Read the platform security page

Have a security questionnaire or need a DPA?

Send us your questionnaire, vendor-security review, or DPA and we’ll turn it around. We’re happy to share our current posture and roadmap under NDA so your team can sign off.

US-based & US-hosted. WinAContract is operated by eSourcing Data Ltd.