Security at QuoteWorthy
Security and privacy are part of every release. This page summarises how we protect the digests you forward and your expertise profile, who we work with, and the one guarantee that sits at the centre of the product: it never sends a pitch on your behalf.
Compliance
SOC 2 Type IIPlanned
On the roadmap. Audit window starts when we cross 50 enterprise customers.
GDPRIn progress
Data subject rights, consent records, and sub-processor transparency are live. Data Processing Agreement available on request; formal sign-off pending legal review.
CCPA / CPRAIn progress
Do Not Sell or Share, Global Privacy Control, and the rights to know, delete, and opt out are implemented. Final policy review pending.
PECR / ePrivacyIn progress
Cookie consent is enforced before any non-essential cookie loads, with a published cookie inventory. Final review pending.
Security controls
Encryption at rest
All data in Postgres is AES-256 encrypted at rest. BYOK keys are additionally AES-GCM encrypted at the application layer with a key never stored in the database.
Encryption in transit
TLS 1.3 enforced on every endpoint. Strict-Transport-Security with preload.
Authentication
Email + password with strong rules, OAuth (Google, GitHub, Facebook, LinkedIn, Twitter), TOTP-based MFA, and WebAuthn passkeys.
Authorisation
Postgres RLS on every table. Permission-string RBAC at the account level with custom roles on Agency.
Audit logs
Every privileged action is recorded in an account-level audit log (90-day retention, configurable, CSV export).
Backups
Continuous WAL backups with 7-day point-in-time recovery.
Vulnerability scanning
Dependabot for dependencies; CodeQL for source. Sentry for runtime monitoring.
Incident response
24-hour acknowledgement; 72-hour notification to affected customers when their data is impacted.
Inbound email only
We only ingest the digest emails you forward to us. We never read your wider inbox, and we hold no credentials that could send mail from your account.
It never sends
QuoteWorthy cannot email a journalist on your behalf. Drafts stop in your review queue; you review and send every pitch yourself. This is a hard product rule, not a setting.
Subprocessors
Third parties that process customer data on our behalf. We notify customers of changes via the changelog.
| Provider | Purpose | Data | Location |
|---|---|---|---|
| PostgreSQL (Managed) | Database, auth, storage | All app data | us-east-1 |
| Vercel | Application hosting | Request logs, build artifacts | Global edge |
| Stripe | Payments | Billing details | US, EU |
| Resend | Transactional email | Email + name | US |
| Sentry | Error monitoring | Stack traces, request context | US |
| Anthropic | AI processing | Call-out + profile content | US |
| OpenAI | AI processing (BYOK) | Call-out + profile content | US |
Documents
Report a vulnerability
If you believe you've found a security issue, please email security@quoteworthy.ai. We aim to acknowledge within one business day.