Security and privacy

Tender data is sensitive data

Tender documents, pricing models, and staffing plans shouldn't sit out in the open. Tenderen is built with security, traceability, and privacy as first principles — not as an afterthought.

Security principles

Four principles guide everything we build

Least privilege

Users, agents, and integrations get only the access they need for the task at hand. All access is logged and can be revoked instantly.

Data in the EU/EEA

All application and customer data is stored in data centers inside the EU/EEA. We do not transfer data to third countries without an explicit legal basis.

Encryption at rest and in transit

TLS 1.2+ for all traffic, AES-256 for stored documents and secrets. Per-customer keys for sensitive data rooms.

Traceability

Every document, every AI response, and every access event is logged with timestamp and user. You can reconstruct who saw what — and when.

Data handling

How data is handled in Tenderen

What we store

  • Tender documents and attachments you upload
  • Drafts, comments, and proposal documents
  • User profiles and access permissions
  • Audit log of changes and access events

What we don't do

  • We do not train models on your tender data
  • We do not share data with third parties for marketing
  • We do not sell metadata or behavioral data
  • We do not grant access to other customers or competitors

When data is deleted

  • You can delete documents at any time from the UI
  • Deleted data is removed from backups within 30 days
  • On termination, data is exported and deleted within 60 days
  • Logs are anonymized after the statutory retention period

Compliance and standards

Frameworks and certifications we follow

Tenderen is a young company. We are transparent about where we are on the certification journey.

GDPR

Full compliance with the EU General Data Protection Regulation. Data Processing Agreement available on request.

Norwegian Personal Data Act

The Norwegian implementation of GDPR. We follow guidance from the Norwegian Data Protection Authority.

ISO 27001 (in progress)

We are building out our information security management system. Certification planned for 2026.

Schrems II

No transfer of personal data to the US without a valid transfer mechanism.

Frequently asked questions

Security in practice

No. Neither we nor our model providers use your content for training. We have explicit data processing agreements that prohibit this.

Want more security details?

Send us an email — we are happy to share technical details, our DPA, or set up a call with our security lead.

No credit card requiredGet started in 2 minutes