SolicitFit
TermsPrivacySecurity & data

Security & Data Handling

Last updated June 10, 2026

SolicitFit handles unpublished SBIR/STTR IP. Our design minimizes how much of your content we hold and for how long.

Access control

  • Authentication is handled by Clerk; sessions gate the entire app shell.
  • Every owned record is scoped by owner (your user id, or your organization id for Team) in the server layer — you can only read your own scans, proposals, and usage.
  • Team billing actions are restricted to organization admins.

Data protection

  • Uploaded drafts are stored in a private bucket via short-lived signed URLs — never public.
  • Data is encrypted in transit (TLS) and at rest by our hosting/database providers.
  • Default-delete: the uploaded draft and its extracted text are removed when the scan finishes (success or failure); only the findings report is retained. A one-click delete-all removes the rest.

AI handling

  • All AI runs through a single metered, rate-limited wrapper; long scans run as background jobs, never inline.
  • Your content is not used to train any model, and our AI provider does not train on API content.
  • Deterministic checks (page count, font, margins, spacing) are parser-measured — the AI never asserts a mechanical "Pass."

Compliance posture

SolicitFit is not authorized for classified, ITAR-controlled, or CUI material. Do not upload such data. Optional US data residency is available to Team customers on request.

Responsible disclosure

Found a vulnerability? Email security@solicitfit.com. We appreciate coordinated disclosure and will respond promptly.

SolicitFit audits your human-written draft for administrative compliance. It does not write proposal content and is not legal advice or a guarantee of acceptance. Don't upload classified / ITAR / CUI material.