Security & data handling

Where your data goes — straight answers.

Before you run a real RFP through Morthn, here’s exactly how your content is handled — including what we do and don’t yet have. If your security team needs more, reach out and we’ll answer directly.

Your content isn’t used to train AI models

Proposals, RFPs, and questionnaire content are processed by Anthropic’s Claude API under its commercial terms, which do not train models on API inputs or outputs. We don’t train any models on your content either.

Tenant isolation

Your vendor profile, answer library, and deals are scoped to your company (by email domain) and are never visible to another company. Access is by per-user login; there are no shared or public workspaces.

Encryption

Data is encrypted in transit (TLS) and at rest in our managed Postgres database. Uploaded documents are parsed to text and not retained as files.

You can delete your data

Library entries and deals are deletable from the product at any time. On request we’ll purge a company’s data entirely.

Passwordless auth

Login is a one-time magic link — no passwords to breach or reuse. Sessions are revocable.

Sub-processors

The services in the path.

Anthropic (Claude)

Generates proposals, questionnaire answers, and qualification. Does not train on your content.

Supabase (Postgres)

Managed database for your profile, library, and deals. Encrypted at rest.

Vercel

Application hosting and delivery.

Being straight with you

What we don’t have yet.

We’re early. We do not yet hold a SOC 2 report or ISO 27001 certification — those are on the roadmap, not done. A Data Processing Agreement (DPA) is available on request. If your procurement process requires a formal certification today, tell us where you stand and we’ll be honest about whether we’re a fit yet or should re-engage once it’s in place.

Talk to us about security

Run a service business instead? See Morthn for service businesses →