MAS Pilot processes government contractor data. We take that seriously.
MAS Pilot is in controlled early access. The statements below describe what is implemented today on the marketing site and Wave 1/2 testing environment, and what is planned for the production platform. We are explicit about the distinction because contractor data deserves that clarity.
maspilot.io is served over HTTPS through Cloudflare with TLS 1.2 or 1.3. HTTP requests are upgraded. HSTS is set for 2 years with includeSubDomains; preload.
Content Security Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy, Cross-Origin-Opener-Policy, and a locked-down Permissions-Policy are enforced on every page.
The waitlist form collects name, phone, work email, company, and contract-type category. We do not collect federal contract numbers, pricing data, or cardholder information on the marketing site.
Wave 3 waitlist submissions are currently routed to a Google Forms endpoint. Google acts as our processor for these submissions. We are migrating the waitlist to a first-party handler with Cloudflare Turnstile and a signed Data Processing Addendum before any contractor pricing or pre-award data is collected.
Client-side honeypot, time-trap, and per-browser rate limiting are in place on the marketing form to deter automated abuse. These are defense-in-depth measures on top of Google reCAPTCHA.
All stored account data and validation results will be encrypted at rest using provider-managed keys. Transactional pricing data uploaded for validation is designed to be processed in-memory and not persisted beyond the validation session.
Role-based access, MFA for administrative roles, and application-level audit logs for contractor-impacting actions. Independent attestation (SOC 2 Type II) is on the roadmap prior to general availability.
Annual third-party penetration testing and a SOC 2 readiness assessment are planned before production launch. Customers evaluating an enterprise pilot can request the current status under NDA.
If you've found a security issue in anything maspilot.io serves, please report it responsibly before public disclosure. We aim to acknowledge within 3 business days. Safe-harbor: good-faith research — no data destruction, no social engineering, no DoS, no targeting of individual users — will not be pursued legally.
PGP / signed reports: available on request. A machine-readable disclosure policy is published at /.well-known/security.txt.
info@maspilot.io →MAS Pilot's outputs — validation findings, IFF calculations, SRP exports, FAR/GSAM clause analyses, compliance scores — are analytical software outputs, not legal advice. Contractors remain solely responsible for submission accuracy, certifications under FAR 8.404(d), and all GSAM and FAR compliance. Consult qualified counsel before relying on any output for a contractual or regulatory submission.