Security Whitepaper

Security model

TrustRFP AI is designed around workspace isolation, role-based access control, source-backed AI output, auditability, and private customer content handling.

• Workspace-scoped records keep documents, projects, answers, exports, billing state, and audit logs separated.
• RBAC gates administrative, billing, document, answer, export, and review workflows.
• AI-generated answers are expected to include citations or be explicitly marked as no-source.

Infrastructure controls

Production deployments are expected to use managed PostgreSQL, private object storage, TLS, secret management, monitored workers, and cloud-native network controls.

• The readiness endpoint blocks production startup when default secrets, local storage, or missing provider settings create material risk.
• Uploads pass file type, size, prompt-injection, PII flagging, and executable-file checks before ingestion.
• Exports are written through the configured storage provider and protected by workspace authorization.

Operational controls

The platform records structured request logs, audit events, marketplace lifecycle events, usage reports, and AI generation metadata so customer-facing activity can be reviewed.