Current security posture
BidFury is in a private pilot. The current product surface supports read-only Amazon Ads monitoring, shadow recommendations, and offline-safe simulations. Live advertising writes are disabled while the authorization, guardrail, and verification layers are completed and reviewed.
Core controls
Invite-only identity
There is no public BidFury registration path. Access depends on an active invitation and organization membership.
Strong operator authentication
The production design uses verified email sessions and requires TOTP two-factor authentication for privileged roles.
Private service network
Database, workflow, object storage, and Amazon worker services are not intended to be directly reachable from the public internet.
Encrypted credentials
Amazon refresh credentials are stored as versioned authenticated ciphertext and are isolated from the public web surface.
Separated authority
Reasoning, policy, workflow, and Amazon access run across explicit boundaries. The AI layer cannot contact Amazon directly.
Durable audit evidence
Recommendations, policy decisions, approvals, execution attempts, and verification results are represented as distinct records.
What we do not claim
DreamHire does not currently claim a third-party security certification for BidFury. This page describes architectural intent and implemented pilot boundaries, not an independent audit or a guarantee that incidents cannot occur.
Reporting a concern
Pilot operators should report suspected credential exposure, unauthorized access, or unexpected Amazon activity immediately through their established DreamHire contact. Do not include passwords, Amazon tokens, recovery codes, or other secrets in a report.
