Enterprise-grade security

Security at BlastRFQ

We handle your most sensitive manufacturing data-RFQ specifications, vendor relationships, and pricing intelligence. Your trust is our responsibility. BlastRFQ is built on industry-standard security practices and transparent safeguards.

TLS 1.3+

All data encrypted in transit

Row-Level

Database security with RLS

Multi-tenant

Complete data isolation

Data Encryption

All data transmitted to and from BlastRFQ is encrypted using TLS 1.3, the industry standard for secure communication. Your RFQ specifications, vendor quotes, and pricing data are protected at every step.

  • In Transit: All connections use TLS 1.3 encryption. Data is unreadable to third parties.
  • At Rest: All database records are encrypted at the application layer using industry-standard algorithms.
  • Automatic HTTPS: All BlastRFQ connections are redirected to HTTPS-no mixed content, no exceptions.

What's Encrypted

  • RFQ specifications & files
  • Vendor quotes & bids
  • Pricing & cost data
  • User credentials & API keys
  • All file attachments

Authentication Features

  • Clerk Authentication: Industry-leading identity platform
  • SSO Support: SAML 2.0 for enterprise customers
  • MFA Available: Optional two-factor authentication
  • Session Management: Automatic logout and secure sessions
  • Password Security: Salted hashing, no plaintext storage

Authentication & Access Control

We use Clerk as our authentication provider-trusted by thousands of companies to secure user access. Authentication is just the first step. Role-based access controls ensure that only authorized team members can view sensitive data.

Buyer & Vendor Data Separation

Buyers and vendors operate in completely isolated environments. A vendor cannot see other vendors' bids, and a buyer cannot see another buyer's RFQ specs. This separation is enforced at the database level, not just in the UI.

  • Buyer Role: Can create RFQs, invite vendors, view quotes, and manage team members
  • Vendor Role: Can view invited RFQs, submit quotes, manage capabilities-zero access to other buyers' data

Database Security

BlastRFQ runs on Supabase, a PostgreSQL-based backend with built-in security features. Every query respects row-level security (RLS) policies that enforce data isolation at the database layer-no account can access data it shouldn't see, even if a bug exists in the application.

  • Row-Level Security (RLS): Every buyer organization has its own partition. Data isolation is enforced by the database, not the application.
  • Automatic Backups: Supabase performs continuous backups with point-in-time recovery options.
  • Access Logging: All database access is logged and monitored for unauthorized activity.
  • No Shared Access: Each customer's data lives in the same database but is logically isolated. Scaling doesn't compromise security.

Supabase Infrastructure

Hosted On

AWS with geographic redundancy

Database

PostgreSQL with enterprise upgrades

Compliance

SOC 2, HIPAA-ready infrastructure

Uptime SLA

99.9% guaranteed availability

Payment Processing

  • Stripe Payment Processing: PCI Level 1 certified
  • No Card Storage: BlastRFQ servers never touch credit card data
  • Tokenization: Card details are tokenized securely by Stripe
  • Fraud Detection: Advanced machine learning-powered fraud prevention
  • Secure Webhooks: Payment confirmations use signed webhook verification

Payment Security

BlastRFQ uses Stripe for all payment processing. We never touch, store, or see your credit card information-Stripe handles all payment processing with PCI Level 1 certification, the highest standard in the industry.

This means your billing information is as protected as payments on Amazon, Shopify, and other trusted platforms. Your RFQ data and your payment data are completely separate systems.

PCI DSS Compliance: By using Stripe for payments, BlastRFQ avoids the complexity of storing sensitive cardholder data. This reduces attack surface and ensures compliance with PCI Data Security Standards.

Infrastructure & Deployment

BlastRFQ is deployed on Vercel, the platform built by the creators of Next.js. Vercel provides edge computing, automatic HTTPS, DDoS protection, and global CDN distribution for low latency and high availability.

  • Automatic HTTPS: Every request is encrypted. No configuration required.
  • Global CDN: Content served from locations near users for low latency.
  • DDoS Protection: Built-in protection against distributed denial-of-service attacks.
  • Automatic Scaling: Infrastructure scales automatically during peak usage.
  • Zero-Downtime Deployments: Updates and fixes deploy instantly without service interruption.

Tech Stack

Frontend

Next.js on Vercel Edge Network

Backend

Next.js API Routes with RLS middleware

Database

Supabase (PostgreSQL) with row-level security

Authentication

Clerk (SSO-ready, MFA support)

Payments

Stripe (PCI Level 1)

Monitoring

Uptime tracking & error monitoring

Our Security Commitments

We take security seriously at every level. Here are the practices we follow to protect your data.

Regular Updates

We keep all dependencies, frameworks, and infrastructure up to date with the latest security patches.

Vulnerability Scanning

Automated scanning for known vulnerabilities in dependencies. Manual code review for each release.

Access Controls

Limited team access. Internal admin tools require multi-factor authentication and audit logging.

Secrets Management

All API keys and secrets are stored securely using environment variables and never committed to code.

Monitoring & Alerts

Real-time monitoring of application performance, error rates, and security events with automated alerts.

Data Privacy

We never share customer data with third parties. Your RFQ specs and pricing data are yours alone.

Found a Security Issue?

We take security vulnerabilities seriously and appreciate responsible disclosure. If you discover a potential security issue, please report it directly to us rather than posting publicly.

Responsible Disclosure

Please send a detailed description of the vulnerability to:

nick@blastrfq.com

Include: steps to reproduce, affected component, potential impact, and your recommended fix (if any).

Please do not: Publicly disclose the vulnerability until we have had time to investigate and release a fix. We will credit you in the fix notes if you wish and provide a responsible disclosure timeline.

Your Data, Your Control

We understand that your RFQ specifications are proprietary manufacturing IP. Your vendor relationships and pricing intelligence are competitive advantages. BlastRFQ is built on the principle that your data is yours alone.

Your Rights

  • You own all RFQs, quotes, and data you upload
  • You control who can access your data via team permissions
  • You can export or delete your data at any time
  • We never sell your data to third parties
  • Your data is not used for training AI models

Our Obligations

  • Protect your data with encryption and access controls
  • Respond to security issues responsibly and promptly
  • Keep your data secure and available 99.9% uptime
  • Notify you promptly of any security incidents
  • Maintain transparent privacy and security policies

Security Questions?

We're happy to discuss security practices, compliance requirements, or any concerns you have. Reach out to our support team.

Contact Support Enterprise Inquiry