Procurement readiness — answers, not a sales call.

All web traffic uses modern HTTPS (TLS 1.3) end to end. Databases are encrypted on the disks they live on. Backups are encrypted. We do not write personally identifiable information into log files.

We take encrypted backups every night and keep them on a rolling 30-day schedule. If something goes wrong, we can restore the database to any point in time within the past week.

Sign-in is handled by a dedicated identity service. Multi-factor authentication is required for everyone with admin access. If your county prefers to sign in through your own identity provider, that is supported.

Five failed sign-in attempts in a row lock the account for 15 minutes. Every attempt is logged.

Permissions are hierarchical (platform team · county administrator · county staff · resident). What each role can see and do is enforced on our servers, not in the browser, so the rules cannot be bypassed by a clever user.

Hosted in U.S. data centers today. Multi-region hosting is available as an enterprise option. We use rate-limiting at every layer of the platform and a dedicated provider for protection against denial-of-service attacks. Application and database servers are on private networks; only the web edge is reachable from the public internet.

We follow industry-standard secure-coding practices to protect against common web vulnerabilities. Our software dependencies are monitored continuously for newly-disclosed vulnerabilities and patched on a 30-day cycle for anything critical.

Residents can use the lookup tool without an account or any sign-up. Residents who do create a free account provide only their email and home ZIP. We never ask for Social Security numbers, dates of birth, income, demographics, or household details.

We use it to answer the resident's question and to give your team aggregated, anonymized signal about what your residents are searching for. We do not sell resident data. We do not use it for advertising. We do not use it to train outside AI models. We do not share individual search histories with anyone.

Any aggregated number we publish — including on our public dashboard — only counts groups of at least 50 residents per ZIP. Smaller groups are not reported, so no individual can be identified.

Every search, every rule, every report belongs to a single county and stays there. Other counties cannot see your data. Cross-county comparisons (when you ask for them) are anonymized and aggregated before they leave your tenant.

First-party analytics only — no advertising trackers, no remarketing, no third-party ad networks. The analytics tools we use honor browser privacy signals (Do Not Track and Global Privacy Control). Every tracker we use is disclosed on our public Privacy page.

Our practices are aligned with SOC 2 trust principles, the NIST Cybersecurity Framework, and the CIS Top 18 controls. We have not yet completed a formal SOC 2 audit; we plan to do so after the first paid pilot.

Resident-facing pages meet WCAG 2.1 AA accessibility standards. We test on every page that residents interact with.

We follow California (CCPA), Virginia (VCDPA), and Illinois (BIPA) privacy principles. Residents can export or delete their account data on request. HIPAA does not apply (we do not handle protected health information). FERPA does not apply (we do not handle student records). For Minnesota counties, your tenant data is owned by you and handled per your existing data-practices workflow.

Every administrative action — publishing a rule, adding a facility, approving a recommendation — is recorded. The log captures who did it, when, from where, and what changed. Logs are kept indefinitely unless your county prefers a different retention period.

Every resident's question goes through our rule engine first. AI is only used as a backup when the rule engine cannot confidently answer. If the AI is also uncertain, we tell the resident we do not have an answer rather than guess.

Each county has a daily limit on how much AI usage is allowed. Once the limit is reached, AI features pause and the rule engine takes over for the rest of the day. We monitor this so a runaway cost cannot happen.

We keep an audit trail of every AI request — which model was used, how confident the answer was, what the outcome was, how much it cost. Your team can review this trail anytime.

When AI helps draft a new rule, a new alias, a facility entry, a take-back program, or a citation, a member of your team reviews it before residents see it. AI never publishes anything by itself.

When a resident uploads a photo of an item, AI identifies what the object is. That identification then goes through the same rule engine as a typed search. The resident never sees the AI's raw output — only the verified disposal answer.

Every code change is reviewed before it ships. A regression test suite runs against every deploy. If any of the tests fail, the deploy stops automatically.

We watch the platform around the clock for anomalies, errors, and abuse. If something goes wrong, your operator contact is notified. Daily checks make sure every cited link in the catalog still works.

We limit how often any single user, browser, or county admin can make requests. This protects you from someone trying to overwhelm the system or scrape it.

We test our backup restore process every quarter. If a catastrophic failure happened, we know how long it would take to bring the platform back and where data would be restored to.

Contracts are annual. We do not require multi-year commitments during your pilot or first year. You can give us 90 days' notice and end the agreement at any time. Our master services agreement uses standard civic-tech terms; we are happy to redline.

Pilot pricing is $30,000–$50,000 per year. Mature contracts are $50,000–$100,000 per year for a county the size of Hennepin. No per-call fees. No charges for adding new rules. Full pricing breakdown is on our public pricing page.

Every rule, facility, program, and intelligence report belongs to your county. You can export everything to CSV or PDF at any time. If you end the contract, we deliver your full export within 10 business days and permanently delete your data 90 days later.

Everything we deliver to you is in an open format — CSV files, PDF reports, plain text. When you leave (whenever that may be), you leave with everything you put in, plus everything the platform generated for you. Nothing is held hostage in our system.