GovDraft Shield Logo
GovDraft
Free Matrix
Log in

Security & Data Handling

Security & Compliance Overview

Last updated: December 22, 2025

Executive summary

GovDraft is a secure drafting workspace — not a document repository. We minimize data retention, export directly to your customer-controlled storage, and do not use your content to train public models. This design supports federal contracting workflows while reducing the compliance surface area.

GovDraft is not a system of record

GovDraft does not retain full proposal content as long-term storage. Final custody remains in your customer-controlled storage (Google Drive or Dropbox).

On this page

Data flow overviewYour storageWhat GovDraft storesTemporary parsing cacheRetention & archiveAuthenticationAI model usageCompliance positioningRequest documentationProcurement questions

Security posture and scope

GovDraft is designed to align with common security expectations in federal contracting environments, including those evaluated during CMMC scoping. GovDraft operates as a drafting and compliance workspace, not a system of record.

  • GovDraft does not store classified data
  • Customer documents remain in customer-controlled storage
  • GovDraft is designed to minimize data retention and reduce compliance surface area
  • For security reviews or procurement requirements, use our centralized contact intake: Contact GovDraft

Data flow overview

This is the default lifecycle for solicitation and draft content in GovDraft:

  1. Upload/paste solicitation → temporary encrypted parsing cache (7-day window)
  2. Parse Sections L & M → build Compliance Matrix → support drafting
  3. Export directly to your Google Drive/Dropbox (auto-organized folders)
  4. Cache clears on a rolling schedule → no indefinite copies retained by GovDraft

Your data stays in your own storage

GovDraft does not act as long-term storage for your proposal files. When you work on a solicitation, GovDraft parses it inside a secure, isolated workspace, then sends all exports directly to your connected storage:

  • Google Drive
  • Dropbox

Exports are written into an auto-organized folder structure in your own account:

/GovDraft/YYYY/MM

After export, GovDraft does not keep a permanent copy of the file on its own servers.

What GovDraft stores

To power your dashboard and workspace, GovDraft stores lightweight metadata — not an indexable repository of your full proposal content. This includes:

  • Project and proposal titles
  • NAICS tags and basic classification
  • Export and usage analytics (counts and timestamps)
  • Branding toggle status per workspace
  • High-level proposal metadata such as due dates or volume names

GovDraft does not store Controlled Unclassified Information (CUI) as a system of record and is not intended to operate within a customer’s CMMC certification boundary.

Content used for drafting can exist in a short-lived, encrypted parsing cache to support the workspace experience.

Temporary parsing cache (7-day window)

When you upload a solicitation, GovDraft creates a temporary parsing workspace to extract Sections L and M, build your Compliance Matrix, and support drafting. This workspace:

  • Lives in an isolated storage bucket
  • Is encrypted at rest and never publicly exposed
  • Is used only for compliance parsing and drafting
  • Is automatically cleared on a rolling 7-day schedule

The goal is simple: you can refresh your browser or return during the week, but GovDraft does not keep indefinite copies of your source documents.

Important

Customers should avoid uploading CUI or export-controlled content (including ITAR-controlled technical data) unless their internal policies explicitly permit the use of an ephemeral drafting workspace.

Data retention and archive options

GovDraft follows a clear retention policy for the metadata it stores:

  • After cancellation, workspace metadata is retained for 1 year by default.
  • Before deletion, GovDraft provides a 30-day warning window.
  • An optional 3-year Extended Archive Plan is available as a paid add-on to preserve access to your metadata and export history.

Your actual documents remain in your own Google Drive or Dropbox. You control how long they are kept, shared, or deleted.

Authentication and access control

GovDraft uses standard authentication and authorization patterns:

  • Sign in with Google and Microsoft via OAuth providers
  • Row Level Security (RLS) to ensure each user can only access their own data
  • Session-based validation for private API routes; service keys are used only on the backend
  • No public API that exposes proposal or solicitation data

All communication with GovDraft uses HTTPS, and sensitive tokens are stored and refreshed securely server-side.

AI model usage

GovDraft uses AI models to help parse solicitations and draft proposal language. Those models see only:

  • The text you upload or paste into GovDraft
  • The draft content you choose to generate or edit
  • Structured metadata you provide about your company

Your uploads and drafts are processed only to provide your workspace functionality. GovDraft does not use customer content to train public/shared models or build unrelated datasets.

Compliance positioning

GovDraft is designed to reduce data retention and keep proposal custody in customer-controlled storage. The notes below describe design intent and typical procurement frameworks that customers may reference. This page does not claim certification, authorization, or formal compliance status.

  • NIST SP 800-171: Designed to align with common control intent used to protect CUI workflows by minimizing retention and keeping long-term custody customer-controlled.
  • DFARS 252.204-7012: Designed to support contractor workflows commonly used under DFARS obligations by reducing data exposure and avoiding long-term storage of artifacts.
  • ITAR: GovDraft is not designed to store or manage ITAR-controlled technical data. Customers are responsible for determining export-control status and handling such data according to their internal policies and applicable regulations.
  • FedRAMP: GovDraft does not claim FedRAMP authorization. If your procurement requires FedRAMP, use our contact intake for a written position.
  • SOC 2: GovDraft does not claim SOC 2 certification. If your review requires audit reports, use our contact intake for current availability and scope.
  • CMMC: GovDraft does not claim CMMC certification and is not intended to operate within a customer’s CMMC certification boundary.

Request security documentation

If your team needs to complete a vendor review, GovDraft supports security questionnaires and due-diligence requests under NDA. Depending on your review requirements, we can provide security documentation and mapping notes as available and walk your reviewer through our architecture and data handling model.

  • Security architecture and data flow overview (expanded detail on request)
  • Control mapping notes for common GovCon frameworks (e.g., NIST 800-171 intent)
  • SSP-style documentation when required for a review (availability depends on scope)

Use our centralized intake: Contact GovDraft

Security and procurement questions

GovDraft is used by small businesses, consultants, and advisors supporting federal procurements. While GovDraft does not claim certification, its architecture is designed to minimize retention and keep final proposal custody with the customer.

  • GovDraft does not act as long-term document storage
  • Final proposal custody remains with the customer
  • Vendor review support is available under NDA

For security or compliance inquiries, use our centralized intake: Contact GovDraft

Note

This page describes GovDraft’s design intent and operational posture. It is not legal advice and should not be interpreted as a certification claim.

For legal or compliance inquiries, contact info@govdraft.com.