Common RFP Questions with CodeBlu's Answers

A reference set of the questions agencies typically put to AI-assisted training vendors, each paired with the answer CodeBlu would give to a formal RFP.

How to use this document

This document serves two audiences. For an agency writing an RFP or a vendor questionnaire, the 28 questions below are a ready-made question bank covering company background, pedagogy, technology, security, compliance, administration, pricing, and implementation. They are written to apply to any AI-assisted training vendor, not only CodeBlu.

For an agency evaluating CodeBlu specifically, each question is followed by the answer CodeBlu would provide. The answers are written to the standard a procurement officer should expect: factual, specific, and candid about what CodeBlu does not yet do. Where an answer depends on something the agency must confirm or that CodeBlu has not yet finalized, the answer says so. An evaluator should treat any vendor answer, including these, as a representation to be verified and, where it matters, written into the contract.

CodeBlu is operated by Yunto Group LLC, doing business as CodeBlu, a Colorado company.

---

Section A: Company and product

Q1. Describe your company, its ownership, and how long it has operated.

CodeBlu is a training product operated by Yunto Group LLC, doing business as CodeBlu, based in Colorado. CodeBlu is an early-stage product. It is honest for an agency to treat CodeBlu as a new vendor: it does not have a multi-year operating history or a large installed base. CodeBlu's position is that newness is a reason for a structured pilot and sensible contract protections, not a disqualification, and that the agency should expect a shorter initial term, a written data-export-on-exit commitment, and retained copies of compliance records as standard protections. An agency that requires a vendor with a long public-sector track record should weigh that requirement directly; CodeBlu would rather state its stage plainly than have an agency discover it later.

Q2. What does the product do, in one paragraph a non-technical reader can follow?

CodeBlu is voice-based de-escalation and crisis-intervention practice. An officer signs in through a web browser and holds a spoken conversation with an AI agent that plays a person in crisis: a domestic disturbance, a mental-health call, an intoxicated and agitated subject, and similar scenarios. The conversation is unscripted on the officer's side; the officer talks the way they would on a call. When the conversation ends, CodeBlu produces an after-action review: a transcript, scores across four dimensions, specific strengths and areas to improve, and suggested alternative phrasings. Over time, an officer accumulates training hours, and the agency can issue completion certificates and produce per-year training-hour summaries.

Q3. Who is the product designed for, and who is it not designed for?

CodeBlu is designed for sworn law enforcement officers and for the trainers and administrators who manage their training. It is built for verbal de-escalation and crisis-contact practice. It is not designed to train perishable physical skills such as firearms, arrest control, or emergency vehicle operation; it does not deliver agency-specific tactical instruction such as room entry or formations; and it does not teach use-of-force decision-making as a distinct discipline. CodeBlu scenarios are designed to resolve before the use of force becomes the question. An agency should view CodeBlu as one component of a training program, alongside live instruction and scenario training, not as a replacement for any of them.

Q4. What is your product roadmap, and what is not built yet?

CodeBlu's current product delivers the voice scenarios, after-action review, certificates, training-hour tracking, and an administrator dashboard. Items CodeBlu describes as planned but not yet delivered include a SOC 2 attestation, billing automation, broader multi-agency tooling, retrieval of agency-uploaded documents into scenarios, and CJIS alignment. CodeBlu's position is that an agency should buy what exists today and treat roadmap items as future possibilities, not as commitments to rely on. If a roadmap item is material to the agency's decision, the agency should ask for a target date in writing and treat slippage as expected for an early-stage product.

---

Section B: Pedagogy and methodology

Q5. What is your instructional model, and why is it appropriate for de-escalation?

De-escalation is a skill, and skills are built through realistic practice with feedback and repetition, not through passive content. CodeBlu's instructional model is practice-with-feedback: the officer performs a realistic verbal encounter, then receives a structured after-action review and can repeat the scenario or attempt a harder one. Voice practice is well suited to this skill because a real encounter does not announce which technique applies; the officer must read behavior, choose words, manage tempo, and decide what to do next, all at once and in real time. A written test cannot exercise that. CodeBlu's scenarios are calibrated using its Thought, Emotion, Behavior framework, which sets the simulated subject's emotional intensity and level of cooperation so that scenarios range in difficulty and type.

Q6. What recognized frameworks or research does your content draw on?

CodeBlu describes its methodology as a synthesis of several established public bodies of work in the de-escalation and crisis-intervention field: behavioral-science research on human performance and decision-making under stress; the crisis-intervention-team model and its variants for behavioral-health calls; nationally recognized de-escalation and tactical decision-making programs developed by major police-research organizations; and state-level crisis-response and crisis-intervention training programs. CodeBlu's contribution is the synthesis and the instructional design: integrating these into scenarios and rubrics an officer can practice against. The detailed list of source bodies of work CodeBlu draws on is shared with serious agency evaluators under NDA on request to privacy@codeblu.co; CodeBlu is candid that its internal source attributions are still being verified against the primary materials and should be confirmed before an agency relies on them in detail.

Q7. Are you partnered with, certified by, or endorsed by any of the organizations whose work you cite?

No. CodeBlu claims no partnership, certification, accreditation, or endorsement from any of the organizations whose work appears in the methodology bodies of work cited in Q6, or any other organization. References to those organizations' work are citations of public material, not affiliations. CodeBlu considers it important to state this plainly, because a vendor that blurs the line between citing respected work and being endorsed by its authors is misrepresenting itself. If any agency sees CodeBlu material that implies an endorsement, the agency should treat that as an error to be corrected and should ask CodeBlu for a written confirmation of non-affiliation.

Q8. What evidence do you have that your product improves officer performance?

CodeBlu is a new product and does not yet have independent, product-specific outcome research. CodeBlu will not borrow the outcome data of an unrelated curriculum and present it as evidence about CodeBlu. What CodeBlu can point to is the broader research direction: rigorous published evaluations of structured de-escalation training have reported statistically significant reductions in use-of-force incidents and in injuries. The detailed bibliography of those evaluations is available on request to privacy@codeblu.co. That research is about the value of de-escalation training generally, not about CodeBlu. CodeBlu's honest position is that an agency should run a pilot with its own success metrics, described in the companion implementation guide, and judge CodeBlu on its own results.

Q9. How is AI-generated content, including feedback and scenario dialogue, controlled and reviewed?

CodeBlu uses generative AI in two places: the voice agent that plays the crisis subject, and the model that produces the after-action review. Both can, in principle, produce output that is plausible but wrong or tonally off. CodeBlu's controls are: scenarios are pre-defined and calibrated rather than generated freely; the after-action review is produced against a fixed scoring rubric; and CodeBlu treats its rubric and prompts as living documents revised as practitioner feedback accumulates. CodeBlu is explicit that its AI-generated after-action feedback is a training aid that supports, and does not replace, evaluation by a qualified human instructor. An agency should review sample scenario dialogue and sample after-action reviews directly during evaluation and should keep an instructor in the loop on scoring.

Q10. Can scenarios be customized to our agency's policies?

CodeBlu's built-in scenario library is the primary, supported training path today. CodeBlu's roadmap includes customization, including the ability to load an agency's own policies and statutes so that future scenarios can reflect them. As built today, an agency should plan to use the built-in scenarios and should not contract on the expectation of deep customization. If policy-specific customization is essential to the agency's decision, CodeBlu would tell the agency that the feature is not ready and should not drive the purchase.

---

Section C: Technology and reliability

Q11. What is the technical architecture, and what third parties does it depend on?

CodeBlu is a modern web application running on a managed application-hosting platform. It uses a managed PostgreSQL platform for its database, authentication, and storage. The voice conversations are delivered by a third-party conversational voice AI provider. After-action reviews are generated using a third-party large language model provider. Transactional email, where enabled, uses a managed transactional email provider, and the sign-in flow is protected by a managed bot-protection mechanism. A single training session therefore touches the application host, the database platform, and the voice provider, and the after-action review additionally uses the AI model provider. An agency's security and reliability review should treat CodeBlu plus those subprocessors as the unit being evaluated. The full, current named subprocessor list, with each subprocessor's function and DPA URL, is provided on request to privacy@codeblu.co under NDA and is attached to the agency contract.

Q12. What happens when one of those third-party services is unavailable?

This is a real dependency, and CodeBlu will not claim otherwise. If the voice provider is unavailable, voice scenarios cannot run for the duration of that outage. If the AI model provider is unavailable, after-action reviews are delayed until service is restored, though the session and transcript are still captured. If the hosting or database platform has an outage, the application is affected. CodeBlu mitigates this by using established managed providers rather than self-hosting, but it cannot eliminate the dependency. CodeBlu does not yet publish an uptime history. An agency should ask for a service-level commitment and should plan training schedules with the understanding that an occasional outage is possible, the same as with any cloud-delivered training tool.

Q13. What are the technical requirements on our side: bandwidth, hardware, browsers?

CodeBlu runs in a standard modern web browser and requires a working microphone and speakers or a headset for the voice scenarios. Because the scenarios are real-time voice conversations, a stable internet connection materially affects training quality; a poor connection produces audio dropouts and latency that degrade the experience. CodeBlu does not require the agency to install or maintain software or servers. The most reliable way for an agency to confirm fit is the one CodeBlu recommends: a live demonstration on the agency's own equipment and network, including the rooms or devices officers will actually use, rather than on a vendor's connection.

Q14. How does the product perform with multiple officers training at once?

CodeBlu is a multi-tenant cloud application designed for multiple concurrent users, and each officer's session is independent. The practical constraint at an agency is usually local: the agency's available bandwidth and the number of suitable rooms or devices for voice training, since officers need a reasonably quiet space. CodeBlu recommends that during a pilot the agency test the realistic concurrent load it expects, for example a full shift training in the same building, so that any local bandwidth limits are found before full rollout rather than during it.

---

Section D: Security and privacy

Q15. Where is our data stored, and in what country?

CodeBlu states that platform data is stored in United States infrastructure, in the managed Postgres database described in Q11. CodeBlu will confirm the specific hosting region and provide a data-residency commitment as a contract term. An agency with a strict data-residency requirement, for example a contractual obligation that data never leave the United States, should make that requirement explicit in the RFP so CodeBlu can confirm it against every subprocessor, not only the primary database. CodeBlu's primary data storage is United States based. The data-residency position of each subprocessor is documented in its Data Processing Agreement; see Q17 for the subprocessor category list and request the named list with DPA URLs from privacy@codeblu.co.

Q16. How is our data segregated from other agencies' data?

CodeBlu is multi-tenant: multiple agencies share the same database. Segregation is enforced in software through row-level security policies in the database. An officer can read only their own training records; a trainer or administrator can read records only for officers within their own agency; and no agency can read another agency's data. System-level operations run under a separate privileged credential. This is a sound and standard pattern. Its dependency is correct policy coverage on every table, so an agency should ask whether CodeBlu verifies row-level-security coverage with an automated test and whether any independent party has reviewed it.

Q17. Are session transcripts or recordings sent to any third-party AI service, and can that service retain or train on them?

Yes, transcripts are sent to third parties, and CodeBlu will not understate that: an officer's spoken performance in a sensitive scenario becomes a transcript that is processed by external providers. The voice conversation runs through a third-party conversational voice AI provider, and the conversation transcript is sent to a third-party large language model provider to generate the after-action review.

CodeBlu operates under publicly available, comprehensive Data Processing Agreements (DPAs) with all third-party subprocessors. Each DPA includes Standard Contractual Clauses for international data transfers, security incident notification commitments, sub-processor notification requirements, and customer audit rights.

The named subprocessor list, the function each subprocessor performs, and the verified DPA URL for each, is provided to evaluating agencies under NDA on request to privacy@codeblu.co, and is attached to the agency contract. The categories of subprocessor are:

• A large language model provider (after-action review generation).
• A conversational voice AI provider (voice training scenarios).
• A managed PostgreSQL platform (data hosting, authentication, and storage).
• A managed application-hosting platform (application hosting).
• A managed transactional email provider (transactional email, where enabled).
• A managed CDN and bot-protection provider (CDN, DNS, sign-in protection).
• A managed productivity suite (CodeBlu's internal business email).

For every subprocessor except the database platform, whose DPA CodeBlu executes directly, the DPA is automatically incorporated into CodeBlu's commercial agreement with the vendor; no separate execution is required. Copies of all DPAs are available in CodeBlu's compliance documentation package, provided to enterprise customers under standard NDA.

On the specific retention and model-training question:

• Officer-AI voice conversations are processed by the voice provider, whose DPA prohibits use beyond service provision, including no AI training on customer audio.
• After-action review generation from transcripts is performed by the LLM provider, whose commercial terms explicitly prohibit training on customer API inputs.
• All other data (officer profiles, scoring, certificates) is held on the managed database platform's United States infrastructure with row-level security.

Customer audit rights: a SOC 2 Type 2 report is available from the database platform under NDA, and that platform additionally maintains ISO 27001 and HIPAA certifications. CodeBlu is confirming current SOC 2 Type II availability for the LLM and voice subprocessors and will provide those reports where available. Customer-conducted audits are supported per the applicable DPA terms.

Q18. How is data encrypted and protected?

CodeBlu's stated controls are encryption in transit, provider-side encryption at rest, access controls, and the row-level security described in Q16. Authentication uses an email magic-link, and CodeBlu does not store user passwords, which removes the password database as a breach target. CodeBlu's own privacy draft notes that all security representations should be confirmed before they are published, because overstated security claims create liability. CodeBlu's honest framing: an agency should treat these as the vendor's representations, require them as contract commitments, and not assume an audited result, because CodeBlu does not yet hold a third-party security attestation. See Q19.

Q19. Do you hold a SOC 2 attestation or any other independent security audit?

No. CodeBlu does not currently hold a SOC 2 attestation or an equivalent independent security audit. CodeBlu describes a SOC 2 path as a roadmap item. CodeBlu will not imply otherwise or point to a partial or in-progress status as if it were a completed attestation. An agency that requires a current SOC 2 report as a condition of purchase should know that CodeBlu cannot meet that condition today. An agency that can proceed without one should compensate by doing its own diligence using this question set and the companion security document, and by writing CodeBlu's security commitments directly into the contract. If a SOC 2 timeline matters, the agency should obtain CodeBlu's target date in writing.

Q20. What is your data breach notification commitment?

CodeBlu will commit, as a contract term, to notify the agency in the event of a confirmed breach affecting the agency's data, within a defined timeframe, and to provide the information the agency needs to meet its own notification obligations. CodeBlu's privacy documentation is still in legal review, and the precise breach-notification language is among the items being finalized. An agency should not accept silence on this point from any vendor.

Q21. What are the CJIS implications of using your product?

The FBI's Criminal Justice Information Services Security Policy governs systems that store, process, or transmit Criminal Justice Information (FBI CJIS Security Policy Resource Center). CodeBlu describes CJIS alignment as planned, not implemented. CodeBlu is a training product, and its built-in scenarios are fictional. CodeBlu's recommended posture is that the agency instruct officers, in writing, not to enter real case data, real subject information, or other Criminal Justice Information into the system, so that CodeBlu holds only training records and fictional-scenario content. Whether the agency's intended use triggers CJIS scope is a determination only the agency's CJIS Systems Officer can make. If the agency requires a CJIS-compliant system for its intended use, CodeBlu in its current state is not that system.

Q22. How long is data retained, and can we control it?

By default, training session data, transcripts, and after-action review results are retained for 90 days. An agency administrator can configure a longer retention period. Account records and issued certificates are retained for the duration of the agency relationship. CodeBlu flags an important point for the agency: a 90-day default may be shorter than the agency's own records-retention obligations for training records used toward a state requirement. CodeBlu will also commit to a data-export-on-exit and a data-deletion-on-termination process as contract terms.

---

Section E: Compliance and records

Q23. What training records does the product produce, and in what formats?

CodeBlu produces, per officer: a record of each training activity with the time credited; session transcripts and after-action review results; completion certificates carrying a verification code that can be checked against CodeBlu's records; milestone certificates at cumulative-hour thresholds; and per-year training-hour summaries broken down by topic. Training-hour summaries can be exported in a comma-separated format suitable for an agency to incorporate into its own reporting. CodeBlu will provide sample certificates and a sample export during evaluation so the agency can confirm the records fit its recordkeeping workflow before contracting.

Q24. Does your product grant or guarantee state training credit?

No. CodeBlu does not and cannot grant state training credit, and it does not guarantee credit hours. CodeBlu's position, stated plainly: a training vendor cannot grant credit. Credit eligibility is determined by the state regulator and, in many states including Colorado, rests with the agency's chief executive. CodeBlu provides the training and the records; the chief executive decides what counts. CodeBlu is designed to support continuing-education and in-service requirements in topic areas such as de-escalation, crisis intervention, and verbal communication, and produces records an agency can submit through its existing reporting channels. Any CodeBlu material that an agency reads as claiming state approval or guaranteed credit is an error the agency should ask CodeBlu to correct.

Q25. How do your records support an audit of our training compliance?

Each completion certificate carries a unique verification code, and certificates are generated from an immutable snapshot of the underlying data at the time of issue, so a certificate can be checked and is not silently altered later. The per-year, per-topic hour summaries give an agency a defensible accounting of what each officer trained on and for how long. CodeBlu also applies basic anti-gaming controls, including a daily cap on credited training time, so that recorded hours reflect genuine practice. CodeBlu's recommended posture is that the agency retain its own exported copies of these records on the agency's normal records schedule, so that the agency's compliance evidence does not depend solely on continued access to CodeBlu.

---

Section F: Administration and support

Q26. How are users managed, and what can a supervisor see?

CodeBlu provides a dashboard for trainers and administrators with a roster view of their agency's officers, the ability to drill into an individual officer's training history, and a roster import for adding officers in bulk. Officers are provisioned by email and sign in with a magic-link. An administrator or trainer sees training data only for officers within their own agency. CodeBlu recommends the agency confirm, during the pilot, that the deprovisioning process for officers who leave is workable for the agency, and that the roster import handles the agency's officer list cleanly.

Q27. What support and onboarding do you provide?

CodeBlu will define the included support model, response targets, and onboarding assistance as part of the agency agreement. Because CodeBlu is an early-stage vendor, an agency should get the support commitment in writing rather than assume it, and should identify a named CodeBlu contact for the pilot. The companion document, Implementing CodeBlu in Your Agency: A 90-Day Rollout Guide, sets out a structured onboarding the agency can run, and CodeBlu's support role should be defined against that plan.

---

Section G: Pricing and contract

Q28. What is your pricing, and what contract terms should we expect?

CodeBlu's published pricing model is a free trial at no cost for a limited period and a limited number of sessions; a standard agency plan priced per officer per month, billed annually, for agencies up to a stated size; and custom pricing for larger agencies. The agency should obtain a written quote with every fee itemized and the per-officer rate held for the contract term. On contract terms, the agency should know that CodeBlu's public terms of service are still in legal review, and that several high-stakes provisions, including limitation of liability, indemnification, and dispute resolution, are deliberately not yet finalized. Many government agencies cannot indemnify a vendor or agree to binding arbitration, so CodeBlu expects to negotiate a contract appropriate to a government buyer rather than apply a standard commercial form.

Section H: Data ownership and accessibility

Q29. Who owns the training data, and what happens to it if we end the contract?

The agency's training records are the agency's records. CodeBlu's position is that the agency owns its training data and that CodeBlu holds and processes it to provide the service. CodeBlu's own legal review notes that the word "ownership" is imprecise in a data context and that the contract should state the arrangement precisely rather than rely on a label, so the agency should expect the final contract, not a marketing statement, to govern this. On exit, CodeBlu will commit, as contract terms, to a data-export process that lets the agency retrieve its records on the agency's timeline and to a data-deletion process on termination. CodeBlu recommends the agency not wait for exit to hold its records: the agency should export and retain training records on its own system throughout the relationship, so its compliance evidence never depends solely on continued access to CodeBlu.

Q30. Is the product accessible to officers with disabilities?

CodeBlu is a web application, and the scenarios are voice conversations, so the product depends on a microphone and on speech. An officer with a hearing or speech disability, or one who uses assistive technology, may face barriers that a text-based course would not present. CodeBlu does not currently publish a formal accessibility conformance report, such as one referencing the Web Content Accessibility Guidelines. An agency with officers who need accommodation should raise this directly during evaluation, ask CodeBlu what accommodations or alternatives exist, and ensure the agency has a non-CodeBlu path to deliver equivalent training to any officer for whom the voice format is not workable. Accessibility is also a legal-compliance matter for the agency as an employer, so agency counsel and human resources should be involved.

---

Closing note for evaluators

A vendor's answers to an RFP are representations, not proof. The answers above are written to be honest, including where CodeBlu falls short of what a mature enterprise vendor would offer: no current SOC 2 attestation, no implemented CJIS alignment, no product-specific outcome research, contract terms still being finalized, and a short operating history. An agency that reads those as disqualifying should not proceed, and CodeBlu would rather an agency reach that conclusion early than late. An agency that can proceed with an early-stage vendor under a structured pilot should take the answers it cares about and make them binding contract terms. The companion documents in this set address the security review, the return-on-investment analysis, the comparison to traditional training, and the implementation plan.

Sources

• AICPA, SOC 2 reporting overview: https://www.aicpa-cima.com/topic/audit-assurance/audit-and-assurance-greater-than-soc-2
• FBI CJIS Security Policy Resource Center: https://le.fbi.gov/informational-tools/cjis/cjis-security-policy-resource-center
• Published outcome evaluations of structured de-escalation training. The detailed methodology bibliography, including the public bodies of work cited in Q6, is available on request to privacy@codeblu.co.

This document is a procurement aid and is not legal advice. Route contract, data-handling, and compliance questions to agency counsel and to the agency's CJIS Systems Officer.