Skip to main content
Security & Data Handling

Security Overview

How LazyQS protects your data and handles tender documents.

Back to Home

What data is uploaded

LazyQS processes the tender and contract documents you upload, along with your account information (name, email, trade, and organisation details). Files are used only to deliver your review outputs.

How data is processed

  • Uploads use secure HTTPS and short-lived signed URLs.
  • Documents are stored in private cloud storage (DigitalOcean Spaces and, for OCR workflows, Google Cloud Storage) with no public access.
  • Background workers run OCR and analysis to generate findings, risk registers, and exports.
  • OCR workflows may use Google Cloud Vision with temporary Google Cloud Storage buckets when enabled.
  • Processing services access files only when needed to deliver your review outputs.

Core security controls

  • TLS everywhere for traffic in transit.
  • Organisation scoping and role-based access on every request.
  • Strict request validation and rate limiting for auth, uploads, and email actions.
  • Short-lived signed URLs for uploads and downloads; storage keys are never exposed to the browser.
  • Operational logs focus on metadata and security events, not document content.

Upload safety

  • Allowed types only (PDF, DOC/DOCX, XLS/XLSX, PPT/PPTX, CSV) with a 75MB per-file limit enforced server-side.
  • Malware scanning before indexing where possible, with quarantine on failures.

Data retention and deletion

We retain data while your account is active to provide the service. When you delete your account, we delete or anonymize your data within 30 days unless legal or compliance obligations require longer retention.

Subprocessors

We use trusted service providers to run LazyQS. Current subprocessors include:

  • OpenAI (document analysis)
  • DigitalOcean (storage and infrastructure)
  • Google Cloud (Vision OCR and storage for OCR workflows)
  • Stripe (billing and payments)
  • Resend (transactional email)

Authentication

Accounts use email and password authentication. Any additional sign-in methods are only offered when configured and visible on the sign-in screen.

Contact

For security or data handling questions, contact us at [email protected].

Ready to simplify your tender & contract reviews?

Join subcontractors, QSs and construction teams across the UK who are saving hours on every review.

Get Started