Security & compliance

01

Export-control screening

Every RFQ passes BIS/EAR-aligned screening (D-024) against a maintained restricted-country and restricted-GPU list before reaching a partner.

02

GDPR-ready data handling

Self-serve export and deletion via Settings → Privacy. Deletion anonymizes records that legal and audit obligations require us to keep.

03

Postgres row-level security

Buyer-scoped RLS policies on RFQ, quote, contract, and contact tables. Service-role access is auditable.

04

Append-only audit log

Every status transition (RFQ submit, quote send, contract activation) writes to an immutable audit_events table.

05

Master Services Agreement

One MSA, signed once. Each contract attaches a deal-specific addendum — no re-negotiation per SKU.

06

Magic-link authentication

Passwordless sign-in over a domain-authenticated email channel. Sessions are short-lived JWTs with sliding refresh.

Reporting a security issue

Email security disclosures to hello@gpupartner.com; a dedicated security@ alias is forthcoming. Please include reproduction steps and any affected URLs. We respond to confirmed reports within one business day.