BlastRFQ rocket logoBlastRFQ
MaterialsROI CalculatorPricing
Sign in
BlastRFQBlastRFQ

One RFQ. Every qualified vendor. Instantly.

How it worksMaterialsPricingROI CalculatorChangelogRoadmapPartnersSecurityPrivacy PolicyTerms of Service
BlastRFQ, accelerate procurement

Accelerate procurement

© 2026 BlastRFQ LLC. All rights reserved.·BlastRFQ LLC is a product of Cutstep AI LLC.

BlastRFQ LLC · Chicago, IL 60601

Vendor communications sent through BlastRFQ include an unsubscribe link in every email. To opt out of future RFQ notifications, use the unsubscribe link in any email you received.

Enterprise-grade security

Security at BlastRFQ

We handle your most sensitive manufacturing data-RFQ specifications, vendor relationships, and pricing intelligence. Your trust is our responsibility. BlastRFQ is built on industry-standard security practices and transparent safeguards.

TLS 1.3+

All data encrypted in transit

Row-Level

Service-role locked at the DB layer

Multi-tenant

Complete data isolation

Data Encryption

All data transmitted to and from BlastRFQ is encrypted using TLS 1.3, the industry standard for secure communication. Your RFQ specifications, vendor quotes, and pricing data are protected at every step.

  • In Transit: All connections use TLS 1.3 encryption. Data is unreadable to third parties.
  • At Rest: All database records are encrypted at the application layer using industry-standard algorithms.
  • Automatic HTTPS: All BlastRFQ connections are redirected to HTTPS-no mixed content, no exceptions.

What's Encrypted

  • RFQ specifications & files
  • Vendor quotes & bids
  • Pricing & cost data
  • User credentials & API keys
  • All file attachments

Authentication Features

  • Clerk Authentication: Industry-leading identity platform
  • SSO Support: SAML 2.0 for enterprise customers
  • MFA Available: Optional two-factor authentication
  • Session Management: Automatic logout and secure sessions
  • Password Security: Salted hashing, no plaintext storage

Authentication & Access Control

We use Clerk as our authentication provider-trusted by thousands of companies to secure user access. Authentication is just the first step. Role-based access controls ensure that only authorized team members can view sensitive data.

Buyer & Vendor Data Separation

Buyers and vendors operate in isolated views. A vendor cannot see other vendors' bids; a buyer cannot see another buyer's RFQ specs. Isolation is enforced in two layers: every server-side route handler checks the authenticated user's organization against the requested record, and the underlying database tables are locked to service-role access only so anonymous or stray-authenticated calls can't reach them at all.

  • Buyer Role: Can create RFQs, invite vendors, view quotes, and manage team members
  • Vendor Role: Can view invited RFQs, submit quotes, manage capabilities-zero access to other buyers' data

Database Security

BlastRFQ runs on Supabase (managed PostgreSQL). Every sensitive table enforces a service_role_onlyrow-level security policy: anonymous and authenticated database roles cannot read these tables at all. The application reaches the database through server-side route handlers using service-role credentials, after Clerk has verified the user's session.

  • Row-Level Security (RLS): Every sensitive table is locked to service-role. Defense-in-depth — even if a bug bypasses the route handler, the database refuses anonymous or authenticated reads.
  • Per-tenant authorization at the route layer:Every server-side handler checks the authenticated user's organization against the requested record before reading or writing.
  • Schema-drift monitoring: Continuous monitoring catches any DDL applied outside the migration tracking. Hourly drift detection between deployments.
  • Daily health audit: Production data is scanned daily for silent degradation — orphan records, matview staleness, bounced contacts still flagged active, dedup backlog.
  • Automatic Backups: Supabase performs continuous backups with point-in-time recovery options.

Supabase Infrastructure

Hosted On

AWS with geographic redundancy

Database

PostgreSQL with enterprise upgrades

Compliance

SOC 2, HIPAA-ready infrastructure

Uptime SLA

99.9% guaranteed availability

Payment Processing

  • Stripe Payment Processing: PCI Level 1 certified
  • No Card Storage: BlastRFQ servers never touch credit card data
  • Tokenization: Card details are tokenized securely by Stripe
  • Fraud Detection: Advanced machine learning-powered fraud prevention
  • Secure Webhooks: Payment confirmations use signed webhook verification

Payment Security

BlastRFQ uses Stripe for all payment processing. We never touch, store, or see your credit card information-Stripe handles all payment processing with PCI Level 1 certification, the highest standard in the industry.

This means your billing information is as protected as payments on Amazon, Shopify, and other trusted platforms. Your RFQ data and your payment data are completely separate systems.

PCI DSS Compliance: By using Stripe for payments, BlastRFQ avoids the complexity of storing sensitive cardholder data. This reduces attack surface and ensures compliance with PCI Data Security Standards.

Infrastructure & Deployment

BlastRFQ is deployed on Vercel, the platform built by the creators of Next.js. Vercel provides edge computing, automatic HTTPS, DDoS protection, and global CDN distribution for low latency and high availability.

  • Automatic HTTPS: Every request is encrypted. No configuration required.
  • Global CDN: Content served from locations near users for low latency.
  • DDoS Protection: Built-in protection against distributed denial-of-service attacks.
  • Automatic Scaling: Infrastructure scales automatically during peak usage.
  • Zero-Downtime Deployments: Updates and fixes deploy instantly without service interruption.

Tech Stack

Frontend

Next.js on Vercel Edge Network

Backend

Next.js route handlers with Clerk-gated authorization

Database

Supabase (PostgreSQL) with row-level security

Authentication

Clerk (SSO-ready, MFA support)

Payments

Stripe (PCI Level 1)

Monitoring

Uptime tracking & error monitoring

Our Security Commitments

We take security seriously at every level. Here are the practices we follow to protect your data.

Regular Updates

We keep all dependencies, frameworks, and infrastructure up to date with the latest security patches.

Vulnerability Scanning

Automated scanning for known vulnerabilities in dependencies. Manual code review for each release.

Access Controls

Limited team access. Internal admin tools require multi-factor authentication and audit logging.

Secrets Management

All API keys and secrets are stored securely using environment variables and never committed to code.

Monitoring & Alerts

Real-time monitoring of application performance, error rates, and security events with automated alerts.

Data Privacy

We never share customer data with third parties. Your RFQ specs and pricing data are yours alone.

Found a Security Issue?

We take security vulnerabilities seriously and appreciate responsible disclosure. If you discover a potential security issue, please report it directly to us rather than posting publicly.

Responsible Disclosure

Please send a detailed description of the vulnerability to:

nick@blastrfq.com

Include: steps to reproduce, affected component, potential impact, and your recommended fix (if any).

Please do not: Publicly disclose the vulnerability until we have had time to investigate and release a fix. We will credit you in the fix notes if you wish and provide a responsible disclosure timeline.

Your Data, Your Control

We understand that your RFQ specifications are proprietary manufacturing IP. Your vendor relationships and pricing intelligence are competitive advantages. BlastRFQ is built on the principle that your data is yours alone.

Your Rights

  • You own all RFQs, quotes, and data you upload
  • You control who can access your data via team permissions
  • You can export or delete your data at any time
  • We never sell your data to third parties
  • Your data is not used for training AI models

Our Obligations

  • Protect your data with encryption and access controls
  • Respond to security issues responsibly and promptly
  • Keep your data secure and available 99.9% uptime
  • Notify you promptly of any security incidents
  • Maintain transparent privacy and security policies

Security Questions?

We're happy to discuss security practices, compliance requirements, or any concerns you have. Reach out to our support team.

Contact Support Enterprise Inquiry