Should your RFP answers go to OpenAI? What "AI-powered" really costs you
"AI-powered" has become table stakes for bid-response software. What the phrase almost never says out loud is where the AI runs. For most tools, the answer is: your confidential proposal text is sent to a large US model provider to be processed. Before you paste your next tender into one, it is worth knowing exactly what that means — legally and commercially.
What actually happens when you hit "draft with AI"
Your text leaves your device, travels to the software vendor, and is then forwarded to a model API — OpenAI, Anthropic, Google or similar. Somewhere in that chain your words are held long enough to be processed, and depending on the terms, potentially longer. Even where a provider offers zero-retention and no-training options, whether your specific vendor has enabled them, for your specific data, is a question you have to actively verify — not assume.
Three legal edges that catch bid data specifically
GDPR and international transfers
If your bid content contains personal data — named referees, team CVs, customer contacts — sending it to a US processor is a restricted transfer under the GDPR. Since Schrems II, that requires a valid transfer mechanism and, often, a transfer impact assessment. Your AI vendor becomes a sub-processor you must disclose. None of this is impossible; it is just real paperwork and real liability that "we use AI" quietly signed you up for.
The US CLOUD Act
Data held by a US-headquartered provider can be subject to lawful-access requests under US law, regardless of where the servers physically sit. For European public-sector and regulated bids, that reachability is itself the concern — which is why "EU data residency" alone does not always satisfy a sovereignty requirement.
Your own NDAs
Here is the sharp one. Many tenders — especially the security questionnaires inside them — arrive under an NDA that restricts disclosure to third parties. Feeding that content to an external AI provider to help you answer can itself be the disclosure the NDA prohibits. You can breach the confidentiality obligation in the very act of responding to the document that imposed it.
The questions to put to any "AI-powered" bid vendor
- Does our content leave our environment to use your AI? If so, to whom?
- Is it retained or used for training — and can you evidence that in writing?
- Which countries process it, and under which legal jurisdiction?
- Will you sign as a named sub-processor, with a DPA and transfer safeguards?
- Can we run the whole thing without any data leaving our infrastructure?
A vendor who answers these crisply is one you can work with. A vendor who gets vague about the data path is telling you something.
The alternative that sidesteps all of it
Every one of those edges — the transfer, the CLOUD Act reach, the NDA conflict — exists only because the data leaves your control to reach the model. Run the model on your own hardware and they simply do not arise. There is no transfer to assess, no sub-processor to disclose, no third party to breach an NDA to. The compliance answer becomes the short, true sentence risk teams actually want: nothing left the building.
That is the whole design premise of RFPlex. The AI that reads your RFP and drafts your answers runs locally, on infrastructure you control. It is not that we bolted on a privacy mode — it is that "your data does not leave" is the point, and everything else is built around it.