Privacy Policy
Last updated: April 4, 2026
This policy is subject to change. We will notify registered users of material changes via email.
1. Information We Collect
Company Information
When you create an account, we collect your company name, CAGE code, Unique Entity ID (UID), point-of-contact details (name, email, phone), and business address. This information is used to identify your organization and may appear in the contractor directory if you enable public visibility.
Compliance Documents
You may upload compliance-related documents such as SPRS assessments, CMMC certifications, System Security Plans (SSPs), Plans of Action and Milestones (POA&Ms), and other evidence. These documents are stored securely and subject to the access controls described below.
Government Contract Documents
Prime contractors may upload government contract documents (PDFs) for automated clause identification and metadata extraction. Contract documents are processed in real-time and immediately deleted after processing. We do NOT store, retain, or archive government contract documents.
When you upload a contract document:
- Processing: The document is temporarily uploaded to DigitalOcean Spaces, sent to the Claude API (Anthropic) for AI-powered analysis, and then immediately deleted from storage.
- Extracted data: We extract and store only contract metadata (contract number, dates, agency name, identified clauses). This metadata is retained in our database.
- Not extracted or stored: Financial information, pricing data, profit margins, funding details, proprietary technical specifications, and the original PDF document itself are NOT retained.
- AI Processing:Contract documents are sent to the Claude API (Anthropic) for transient analysis only. See "AI-Powered Processing" section below for details.
Do not upload classified, FOUO, CUI, ITAR-controlled, or restricted documents. Flowdown Defender is not authorized or equipped to handle classified information.
Usage Data
We collect standard usage data including page views, feature interactions, IP addresses, browser type, and timestamps. This data is used to improve the Platform and troubleshoot issues.
Payment Information
Payment details (credit card numbers, billing addresses) are collected and processed by Stripe. We do not store payment card data on our servers. We receive transaction confirmations and subscription status from Stripe.
2. How We Store Your Data
All data is stored on encrypted infrastructure hosted by DigitalOcean. Our database uses encrypted connections (TLS). Uploaded documents are stored in DigitalOcean Spaces (S3-compatible object storage) with server-side encryption. All data transfers between your browser and our servers are encrypted via HTTPS/TLS.
3. Document Visibility and Access Control
Your compliance documents and data are visible to:
- Your company: All team members on your account can view your compliance data and documents.
- Connected Prime contractors: Prime contractors who have an accepted connection with your company AND have you on an active project can view your compliance records and documents. This is the core functionality that enables supply chain compliance monitoring.
Your data is not visible to unconnected companies, the general public, or other subcontractors on the same project. Directory listings show only basic company information (name, CAGE code) and do not expose compliance documents.
4. Third-Party Services
We use the following third-party services to operate the Platform:
- Clerk — Authentication and user management. Handles sign-in/sign-up flows and session management.
- Stripe — Payment processing and subscription billing. Stores and processes payment card information.
- Resend — Transactional email delivery for notifications (expiration alerts, invitation emails).
- SAM.gov API — Federal contractor data lookup for directory enrichment. Publicly available government data.
- Claude API (Anthropic)— AI-powered document processing for automated compliance verification. Document content may be sent to Anthropic's API for analysis. Anthropic does not use API inputs for model training.
- DigitalOcean — Cloud infrastructure (compute, database, object storage, Kubernetes).
5. AI-Powered Processing
Flowdown Defender uses AI-powered document processing (provided by Anthropic's Claude API) to extract information from uploaded documents. This includes:
- Compliance documents: SPRS scores, CMMC certification levels, POA&M details, and other compliance metrics.
- Contract documents: Contract metadata, FAR/DFARS clause identification, CMMC level requirements, and CUI indicators.
- Section 889 documents: Vendor names, equipment types, and certification details from attestation forms.
How AI processing works:When you upload a document, the PDF content is sent to Anthropic's Claude API via secure HTTPS connection. The AI model analyzes the document and returns structured data (JSON format) which is then stored in our database. The original document is stored separately in encrypted object storage.
Data usage by AI provider:According to Anthropic's terms, API inputs are not used for model training. Documents sent to the Claude API are processed transiently and are not retained by Anthropic beyond the processing request.
Accuracy and verification: AI extraction is provided for convenience and efficiency. All extracted data is presented to you for review and confirmation before being saved. You are responsible for verifying the accuracy of AI-extracted information. We do not guarantee 100% accuracy of AI extraction.
Opting out: AI extraction is optional. You may manually enter compliance data instead of using AI-powered upload features.
6. Data Retention
We retain your data for as long as your account is active. If you cancel your subscription, your data remains stored for thirty (30) days to allow for reactivation. After 30 days, we may delete your data. Upon account termination, you may request a data export by contacting us.
Audit logs (activity history) are retained for twelve (12) months for security and compliance purposes.
7. Your Rights
You have the right to:
- Access your data at any time through the Platform
- Correct inaccurate company or compliance information
- Export your compliance data via CSV export features or by contacting support
- Delete your account and associated data by contacting us
- Control visibility by toggling your directory listing on or off
8. Cookies
We use essential cookies for authentication and session management (provided by Clerk). We do not use advertising or tracking cookies. No third-party analytics cookies are placed without your consent.
9. Children's Privacy
The Platform is designed for business use and is not directed at individuals under the age of 18. We do not knowingly collect personal information from children.
10. Contact
For questions about this privacy policy or to exercise your data rights, contact us at admin@flowdowndefender.com.