SourceDeck is built for small and mid-sized GovCon teams. We do not overclaim certifications. We do support the security review, due-diligence, and controlled-rollout requirements those buyers routinely face. This page is the single place we keep that posture honest.
Every claim in a SourceDeck deck links back to a source — the solicitation document, your past-performance library, or a public registration record (SAM, FPDS, USAspending). Outputs without a source are flagged. This is the foundation of our sample deck.
Your opportunities, capture notes, past-performance records, and proposal drafts stay in your workspace. The static client never carries one customer’s data into another tenant’s bundle.
Logged-out users see no workspace data. Logged-in users see only data scoped to their authenticated identity. If ownership cannot be verified, the workspace fails closed and shows blank.
SourceDeck’s stakeholder graph identifies who is in a buying constellation and what role they play. It does not recommend mass outreach to contracting officers, contact during restricted communication windows, or solicitation-restricted pitching. Capture actions respect FAR 3.104 procurement integrity, agency-specific instructions, and solicitation-imposed communication windows.
Storage keys are scoped per (tenant, user). The codebase does not reuse a single global key that could cause one user’s data to surface in another user’s session. Verified by an automated guardrail in CI.
SourceDeck is not SOC 2, FedRAMP, ISO 27001, CMMC, HIPAA, or HITRUST certified. We will not represent ourselves as certified until and unless those certifications are completed and current. We will participate in customer security reviews and document a concrete certification trajectory when a paying customer’s contract requires it.
SourceDeck is not currently approved for storing or processing CUI, FCI marked CUI, or classified data. Solicitation packages routinely contain CUI; do not paste CUI-marked sections into a SourceDeck workspace until a CUI-capable deployment is in place. We will support a CUI-capable deployment path as a customer-driven enterprise commitment.
We do not claim “end-to-end encrypted” or “zero data retention” because those terms have specific technical meanings we have not implemented at the level the federal market expects. Data in transit uses TLS via the hosting provider. Data at rest is stored by the configured backend.
We respond to vendor security questionnaires, customer-supplied DPAs, and procurement reviews. Send the questionnaire to contact sales; we typically return a first response within five business days.
Enterprise scoping includes options for dedicated tenancy, customer-controlled subprocessor list, and SSO (Okta / Azure AD / Google Workspace). On-premises and air-gapped deployments are scoped per customer.
We can review and flow down standard FAR clauses (Section 889, anti-trafficking, equal opportunity, small-business subcontracting reps where applicable) on request. We are not a defense-articles producer; ITAR/EAR posture is “not in scope” pending a customer-driven case.
SourceDeck does not use covered telecommunications equipment or services from Huawei, ZTE, Hytera, Hikvision, Dahua, or their subsidiaries. We can sign the standard Section 889 representation as part of a customer agreement.
The current production subprocessor list is available on request as part of a security review. Core categories: hosting and CDN, AI inference (configurable per workspace, including BYO-key options), email delivery for transactional notifications, error monitoring. We notify customers of material subprocessor changes in advance per a standard DPA.
Production hosting is US-based. We do not currently use offshore subprocessors for the customer-data path. If a deployment requires a specific data-residency posture (US-only, GovCloud-equivalent, EU-only, sovereign), this is part of Enterprise scoping.
We add to this list when something becomes a real customer commitment, not before. We will not announce certifications we are not pursuing.
Email contact sales with your questionnaire or DPA. We respond within one business day for acknowledgement.
If you find a security issue, email contact sales with subject “security disclosure.” We respond within one business day for acknowledgement and within five business days for triage. Please don’t open public GitHub issues for security reports.