Legal

Security & Trust

Last updated: January 23, 2026

At QuoteOS, security is foundational—not an afterthought. We've designed our platform with a privacy-first architecture that protects your data at every layer.

Our Security Principles

Encryption Everywhere

All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Your pricing data, customer information, and quotes are protected at every stage.

Organisation-Level Isolation

Your data is completely isolated from other organisations using row-level security (RLS). There is no possibility of cross-organisation data access—each organisation operates in its own secure partition.

Secure Authentication

Authentication is handled by a SOC 2 Type II certified identity provider. We support multi-factor authentication (MFA), secure session management, and enterprise SSO options.

Monitoring & Logging

We maintain comprehensive audit logs and real-time monitoring. Suspicious activity is detected and investigated promptly. Security events are logged and retained for compliance purposes.

AI Safety Guarantees

Your Data Is Never Used for AI Training

This is a core commitment. Your pricing library, customer information, and quote content are never used to train AI models—not ours, not third-party models. Your data remains yours.

Our AI processing is designed with privacy at its core:

  • AI processing occurs in isolated, secure environments
  • Data is processed only to generate your specific quote—then discarded from AI context
  • We use enterprise-grade AI providers with strict data handling agreements
  • No customer data is retained by AI providers for training or improvement purposes
  • AI-generated content is always presented as a draft for your review and approval

Infrastructure Security

QuoteOS is built on enterprise-grade infrastructure:

Hosting & Compute:

  • Application hosted on SOC 2 certified platforms with global CDN distribution
  • Background processing in isolated container environments
  • Database with automatic backups and point-in-time recovery
  • All infrastructure providers maintain SOC 2 compliance

Network Security:

  • DDoS protection at the edge
  • Web Application Firewall (WAF) rules
  • Rate limiting to prevent abuse
  • Secure API endpoints with authentication required

Access Controls

We implement strict access controls to protect your data:

  • Principle of least privilege—employees only have access to data necessary for their role
  • All access to production systems is logged and audited
  • Administrative access requires multi-factor authentication
  • Regular access reviews ensure permissions remain appropriate
  • Separation of duties for sensitive operations

Incident Response

Prepared for the Unexpected

We maintain documented incident response procedures and conduct regular drills. In the event of a security incident, we are prepared to respond quickly and transparently.

Our incident response includes:

  • 24/7 monitoring and alerting for security events
  • Documented escalation procedures
  • Rapid response team with defined roles and responsibilities
  • Customer notification within 48 hours for incidents affecting their data
  • Post-incident review and remediation

Compliance Mindset

While we do not currently hold formal certifications, QuoteOS is designed to align with industry security standards and regulatory requirements:

Standards We Align With:

  • SOC 2 Trust Service Criteria (Security, Availability, Confidentiality)
  • ISO 27001 Information Security Management principles
  • OWASP security best practices for web applications
  • CIS Controls for cyber defence

Regulatory Compliance:

  • GDPR (EU General Data Protection Regulation)
  • UK GDPR
  • CCPA/CPRA (California Consumer Privacy Act)
  • Australian Privacy Act 1988

For enterprise customers requiring specific compliance documentation or security questionnaires, please contact support@getquoteos.com.

Vendor Security

We carefully vet all third-party vendors and require them to meet our security standards:

  • All database providers are SOC 2 Type II certified with encryption at rest
  • Authentication providers are SOC 2 Type II certified with MFA support
  • Payment processing is PCI DSS Level 1 compliant
  • AI processing providers maintain SOC 2 Type II certification with enterprise data agreements
  • Hosting providers are SOC 2 Type II certified with global CDN distribution

For detailed vendor security documentation, please contact support@getquoteos.com.

Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to support@getquoteos.com. We commit to:

  • Acknowledging receipt within 24 hours
  • Providing regular updates on our investigation
  • Not pursuing legal action against good-faith security researchers
  • Crediting researchers who help us improve security (with permission)

Contact

For security-related enquiries, please contact us at:

Email: support@getquoteos.com