Documentation
Trust and Security
How Quotient handles customer data.
Quotient is built with security at its core. We implement industry-standard security practices across our infrastructure, application layer, and operational processes to protect your data at every level.
This page provides an overview of our security practices and compliance measures. For more detailed information, please refer to our Customer Data Privacy and Data Processors documentation.
Data Security
Encryption
All customer data is protected with enterprise-grade encryption at every layer:
- Encryption at rest: Customer data stored in our databases is encrypted using AES-256 encryption, the industry standard for data at rest. Our database provider, Neon, manages encryption keys and follows strict key management protocols.
- Encryption in transit: All data transmitted between clients and our services is encrypted using TLS 1.3 or higher. This includes all API requests, web application traffic, and internal service communication.
Backups and Data Durability
Our database infrastructure is designed for high availability and durability. Continuous automated backups ensure that customer data can be recovered in the event of data loss or corruption. Our database provider supports point-in-time recovery, allowing us to restore data to any specific moment in time. Database backups are stored across multiple availability zones to protect against regional failures, and all backup data is encrypted with the same standards as production data.
Infrastructure Security
Cloud Infrastructure
Quotient leverages best-in-class cloud infrastructure providers. Vercel provides secure, scalable hosting for our main application with built-in DDoS protection and edge network security. Neon provides enterprise-grade PostgreSQL hosting with automatic failover and high availability. Amazon Web Services (AWS) powers our storage, content delivery, and container orchestration needs.
Physical Security
We defer physical security controls to our infrastructure providers, who maintain SOC 2 Type II certified data centers. These facilities feature 24/7 security monitoring and surveillance, biometric access controls, environmental safeguards including fire suppression and climate control, redundant power systems, and undergo regular security audits and compliance certifications.
Disaster Recovery
Our disaster recovery strategy ensures business continuity through multiple layers of protection. Database infrastructure automatically fails over to standby instances in the event of hardware failure. Services are distributed across multiple availability zones to minimize the impact of regional outages. We maintain documented incident response procedures and conduct regular reviews to ensure rapid recovery from potential incidents. For more information on our incident response process, see the Incident Response section below.
Application Security
Secure Development Lifecycle
Security is integrated into every phase of our development process. All code changes must be reviewed and approved by another engineer before deployment, ensuring that multiple eyes examine every change to our production systems. We maintain comprehensive test suites using Vitest to catch bugs and security issues early in the development cycle. GitHub Actions automatically runs security checks, tests, and code quality analysis on every commit, providing immediate feedback to our engineering team.
Vulnerability Management
We actively monitor and address security vulnerabilities through multiple channels. Dependabot automatically monitors our dependencies for known vulnerabilities and creates pull requests to update affected packages. We subscribe to security advisories from GitHub and our infrastructure providers to stay informed of emerging threats. Our systems automatically alert our engineering team when security issues are detected, and critical security patches are prioritized and deployed promptly following our change management procedures.
Responsible Disclosure
We take security vulnerabilities seriously. If you discover a security issue, please report it to us at security@getquotient.ai. We commit to acknowledging your report within 48 hours, investigating all legitimate security concerns, keeping you informed of our progress, and recognizing responsible disclosure in our security acknowledgments.
Access Controls
Internal Access Management
Access to customer data is strictly controlled and monitored. Only engineering team members who require access for application support and debugging can access customer data, following the principle of least privilege. Access to critical systems including our codebase on GitHub, secrets management through Infisical, and corporate applications is protected by multi-factor authentication. All team access is centrally managed through Google Workspace and can be immediately revoked when necessary. Access to customer data is logged and monitored for security and compliance purposes.
Authentication and Authorization
Internal systems use role-based access control (RBAC) to ensure team members only have access to the resources they need for their specific roles. We use Google Workspace as our primary identity provider, enabling consistent access policies across our tools and services. We conduct periodic reviews of access permissions to ensure they remain appropriate as team members' responsibilities evolve.
Monitoring and Incident Response
Security Monitoring
Our systems are continuously monitored for security events and anomalies. Sentry provides real-time error tracking and performance monitoring across our application, alerting us immediately to any unexpected behavior. Self-hosted Grafana provides centralized logging, metrics, and alerting capabilities. Our engineering team receives immediate notifications of security-related events and anomalies, enabling rapid response to potential threats.
Incident Response
We maintain a structured incident response process to quickly identify, contain, and resolve security incidents. Automated monitoring systems alert our team to potential security incidents as they occur. We follow documented procedures for investigating, containing, and resolving security incidents to ensure consistent and effective responses. After any incident, we conduct thorough post-mortems to identify root causes and implement preventive measures. We commit to promptly notifying affected customers in the event of a data breach or security incident.
For detailed information on our incident response procedures, please refer to our Customer Data Privacy documentation.
Data Processing
For information about our data processing practices and the third-party service providers we use, please see our Customer Data Privacy documentation for comprehensive privacy and data handling practices, and our Data Processors page for a complete list of third-party service providers.
Contact Us
For security-related inquiries or to report a vulnerability, please contact us at security@getquotient.ai. For general questions about our security practices, reach out to support@getquotient.ai.