Skip to main content
Quotery

Security

Quotery's security practices: TLS 1.3 encryption, AES-256-GCM at rest, Cloudflare CDN, Render hosting, data retention, and vulnerability disclosure program for enterprise buyers.

Encryption standards

All data transmitted between your browser and Quotery is encrypted with TLS 1.3 using modern cipher suites. At rest, customer data is encrypted with AES-256-GCM. Database volumes use server-side encryption managed by the cloud provider. Backups are encrypted with the same standard before leaving the data center. API keys and secrets are hashed or encrypted before storage and are never logged in plaintext.

Infrastructure

Quotery runs on Render's SOC 2-compliant infrastructure with PostgreSQL 17 for the primary database and Redis 7 for caching and real-time features. Static assets and API traffic are fronted by the Cloudflare content delivery network, which provides DDoS mitigation, WAF rules, and edge caching. The application is deployed in isolated containers with resource limits and health-check-driven auto-recovery. Environment variables and secrets are managed through Render's encrypted secret store and are never committed to source control.

Sub-processors

Quotery engages the following sub-processors to deliver the platform: OpenAI (AI-powered document import — supplier PDFs, Excel, and CSV files are sent to OpenAI for structure extraction, product matching, and summary generation; no customer data is used for model training); Stripe (payment processing — payment card data is handled entirely by Stripe's PCI-compliant infrastructure; Quotery never stores or processes raw payment information); PostHog (product analytics — anonymized product usage data for improving the platform; no personally identifiable information is collected); Grafana Cloud (infrastructure monitoring — application performance metrics and error logs; no customer data is included). Each sub-processor is bound by a data processing agreement consistent with Quotery's security obligations.

Access control

Quotery enforces strict multi-tenant isolation at the database level. Every tenant's data is segregated by a tenant identifier that is applied on every query — no tenant can access another tenant's data through any API endpoint. Role-based access control (RBAC) is built into the platform, with predefined roles (Admin, Manager, User, Viewer) that limit what each team member can see and do. Enterprise customers can configure SAML single sign-on (SSO) for identity federation with their existing identity provider. All access to the production environment is gated by VPN, SSH key authentication, and individual user accounts with a mandatory password manager. Access is logged and audited quarterly.

Data retention

Customer data is retained for the duration of the active subscription. Upon cancellation, account data remains accessible in read-only mode for 30 days to allow export. After the 30-day export window, the account and all associated data are permanently deleted. Automated daily backups are retained for 90 days. Backups are encrypted at rest and in transit. After 90 days, backups are automatically rotated and permanently destroyed. No customer data is retained beyond these periods unless required by applicable law.

Compliance & certifications

Quotery runs on Render's SOC 2 Type II-certified infrastructure, which meets AICPA Trust Services Criteria for security, availability, and confidentiality. Render undergoes annual third-party audits and provides the SOC 2 report under NDA to enterprise customers. Quotery itself is pursuing SOC 2 Type II certification; the readiness assessment is complete and the audit window is planned for late 2026. In the interim, our security practices align with SOC 2 criteria: documented access controls, quarterly access audits, encrypted data at rest and in transit, automated backup verification, and a formal incident response plan. Enterprise buyers can request our security questionnaire and compliance roadmap at security@quotery.io.

Data Processing Agreement (DPA)

A Data Processing Agreement is available for all paid plans upon request. The DPA covers Quotery's obligations as a data processor under GDPR and LGPD, including: purpose limitation (data processed only to deliver the Quotery platform), sub-processor disclosure (OpenAI, Stripe, PostHog, Grafana Cloud — listed above with processing activities), data subject request assistance, breach notification within 72 hours, and deletion or return of customer data upon contract termination. Contact sales@quotery.io to request the current DPA. The DPA incorporates Standard Contractual Clauses (SCCs) for cross-border data transfers where applicable.

Report a vulnerability

We take the security of our platform seriously. If you discover a potential security vulnerability in Quotery, please report it to security@quotery.io. We will acknowledge receipt within 48 hours and work to triage and resolve the issue promptly. We ask that you follow responsible disclosure practices and allow us reasonable time to address the issue before public disclosure. We do not currently operate a formal bug bounty program but will acknowledge and credit responsible reporters in our release notes.