Security at BiMA·gov
Last updated: 2026-05-06
For procurement reviewers: download the procurement one-pager (PDF). Want to size the value before procurement? Run the ROI calculator.
Hosting
Hosted on Fly.io. Single region pinned to iad (Ashburn, Virginia, US-East). Application services and persistent storage co-located.
Encryption
Persistent volumes use AES-XTS-256 (LUKS) at the storage layer (Fly default). Application-level hash-chained audit log on top — see Audit log.
Sub-processors
| Provider | Purpose | Data |
|---|---|---|
| Fly.io | Application hosting | Application data, customer model metadata |
| AWS | Encrypted backup storage (Fly volume snapshots) | Backup blobs only |
| Stripe | Billing (post-launch) | Customer billing contact, payment method |
| Anthropic | LLM fallback (Pro tier and above) | Ticket text, redacted DAX |
| Crisp | Support widget | Support chat transcripts |
| Plausible | Analytics | IP (transient, not stored), URL path |
Audit log
Tamper-evident hash chain. Each row links to the previous via SHA-256. Tampering with any row invalidates downstream hashes. Exports available as JSON, CSV, and PDF — the PDF cover surfaces chain length, first/last hash, and break detection.
Retention
Audit logs: indefinite. Telemetry: 90 days. Customer model snapshots: 30 days (tenant-configurable).
Reporting issues
Email: [email protected]