Security Policy

At Quixyl, security is not an afterthought—it's the foundation of everything we build. We understand that you're trusting us with sensitive business documents and financial data, and we take that responsibility seriously. This Security Policy outlines our comprehensive approach to protecting your data and maintaining the highest security standards.

1. Data Encryption

1.1 Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.3 (Transport Layer Security), the latest and most secure encryption protocol. This includes:

• API requests and responses
• Document uploads and downloads
• Authentication and session management
• Webhook delivery
• All web application traffic

We enforce HTTPS across all our domains and subdomains with HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks.

1.2 Encryption at Rest

Your uploaded documents and extracted data are encrypted at rest using AES-256 encryption, the same military-grade encryption used by banks and government agencies. This applies to:

• Document Storage: All uploaded PDFs, images, and documents are encrypted in our secure cloud storage (Cloudflare R2)
• Database Records: Extracted data, user information, and metadata stored in our PostgreSQL database (Neon) are encrypted
• Backups: All database backups are encrypted and stored in geographically distributed locations
• Temporary Files: Any temporary processing files are encrypted and automatically deleted after processing

1.3 Key Management

Encryption keys are managed using industry-standard key management practices:

• Keys are rotated regularly according to security best practices
• No single person has access to all encryption keys
• Keys are stored separately from encrypted data
• Access to key management systems requires multi-factor authentication

2. Infrastructure Security

2.1 Cloud Infrastructure

Our infrastructure is built on enterprise-grade cloud platforms with industry-leading security:

• Application Hosting: Deployed on Coolify with containerized architecture for isolation and security
• Database: Neon PostgreSQL with built-in encryption, automated backups, and connection pooling
• Object Storage: Cloudflare R2 for secure, redundant document storage
• CDN & DDoS Protection: Cloudflare's enterprise CDN with advanced DDoS mitigation
• Payment Processing: Stripe for PCI DSS compliant payment handling

2.2 Network Security

Our network security measures include:

• Firewall Protection: Web Application Firewall (WAF) to block malicious traffic and common web attacks
• DDoS Mitigation: Automatic detection and mitigation of distributed denial-of-service attacks
• Rate Limiting: API rate limits to prevent abuse and ensure service availability
• IP Allowlisting: Optional IP allowlisting for Enterprise customers
• Network Isolation: Services run in isolated containers with minimal network exposure

2.3 Container Security

Our containerized architecture provides additional security layers:

• Minimal base images to reduce attack surface
• Regular image scanning for vulnerabilities
• Immutable infrastructure - containers are never patched, only replaced
• Resource limits to prevent resource exhaustion attacks
• Container isolation to prevent cross-contamination

3. Application Security

3.1 Authentication & Access Control

We implement robust authentication and authorization mechanisms:

• Secure Authentication: Email-based authentication with magic links (no password storage vulnerabilities)
• Session Management: Secure, httpOnly cookies with short expiration times
• Multi-Factor Authentication (MFA): Available for Enterprise customers
• Role-Based Access Control (RBAC): Granular permissions for team members
• API Key Security: Secure API key generation with scoped permissions
• Automatic Logout: Sessions expire after period of inactivity

3.2 Input Validation & Sanitization

All user input is rigorously validated and sanitized to prevent security vulnerabilities:

• SQL Injection Prevention: Parameterized queries and ORM usage throughout the application
• XSS Protection: Content Security Policy (CSP) and automatic output encoding
• CSRF Protection: Anti-CSRF tokens on all state-changing operations
• File Upload Validation: Strict file type checking, size limits, and virus scanning
• Schema Validation: All API requests validated against strict schemas

3.3 Secure Development Practices

Our development process includes security at every stage:

• Security-focused code reviews before deployment
• Automated security scanning in CI/CD pipeline
• Dependency vulnerability scanning with automatic updates
• Static Application Security Testing (SAST)
• Regular security training for development team
• Secure coding guidelines and best practices enforcement

4. Data Security & Privacy

4.1 Data Isolation

Your data is strictly isolated and protected from access by other users:

• Logical Data Separation: Each organization's data is logically separated with strict access controls
• Row-Level Security: Database policies ensure users can only access their own organization's data
• API Isolation: All API requests are scoped to authenticated user's organization
• File Storage Isolation: Documents stored in organization-specific buckets with unique access keys

4.2 Data Retention & Deletion

We provide you with complete control over your data:

• User-Controlled Retention: You can delete any document or extraction at any time
• Automatic Deletion: Deleted items are permanently removed within 90 days
• Account Deletion: Upon account termination, all data is deleted within 90 days
• Secure Deletion: Data deletion is cryptographically secure and irreversible
• Backup Cleanup: Deleted data is removed from all backups during rotation

4.3 Data Processing

We process your data with the highest security standards:

• Third-Party Processors: We use trusted partners (Microsoft Azure Document Intelligence, OpenAI, Anthropic) with enterprise security certifications
• Data Processing Agreements: All third-party processors sign strict DPAs (Data Processing Agreements)
• Minimal Data Sharing: Only necessary data is shared with processing services
• No Training on Your Data: Your documents are never used to train AI models
• Temporary Processing: Documents are deleted from third-party services immediately after processing

4.4 PII Redaction & Compliance

For customers processing sensitive personal information:

• Automatic PII Detection: AI-powered detection of Social Security Numbers, credit cards, phone numbers, and more
• Flexible Redaction Modes: Remove, mask, hash, or flag PII based on your requirements
• Audit Trails: Complete logging of PII detection and redaction activities
• Compliance Support: Features designed to support HIPAA, GDPR, CCPA, SOC 2, and PCI DSS requirements

5. Compliance Standards

We are committed to achieving and maintaining industry-standard security certifications. Our security practices are designed to align with:

• SOC 2 principles alignment: Security, availability, confidentiality, processing integrity, and privacy
• GDPR requirements: Data protection and privacy for European customers
• CCPA compliance: California Consumer Privacy Act standards
• PCI DSS: Payment security through Stripe's certified infrastructure
• ISO 27001 frameworks: Information security management best practices

6. Security Monitoring & Incident Response

6.1 Continuous Monitoring

We maintain 24/7 security monitoring to detect and respond to threats:

• Real-Time Alerts: Automated alerting for suspicious activities
• Log Analysis: Centralized logging and analysis of all system events
• Intrusion Detection: Automated detection of unauthorized access attempts
• Uptime Monitoring: 99.9% uptime SLA with real-time status page
• Performance Monitoring: Detection of anomalies that could indicate security issues

6.2 Vulnerability Management

We proactively identify and address security vulnerabilities:

• Regular vulnerability scanning of infrastructure and applications
• Automated dependency updates for security patches
• Quarterly penetration testing by third-party security firms
• Bug bounty program for responsible disclosure
• Critical vulnerabilities patched within 24 hours

6.3 Incident Response

In the unlikely event of a security incident, we have a comprehensive response plan:

• Immediate Response: Security team notified immediately upon detection
• Incident Containment: Rapid isolation and containment of affected systems
• Customer Notification: Affected customers notified within 72 hours
• Root Cause Analysis: Thorough investigation and remediation
• Post-Incident Review: Process improvements to prevent recurrence
• Transparent Communication: Regular updates via status page and email

6.4 Audit Logging

Comprehensive audit trails are maintained for security and compliance:

• All user authentication and authorization events
• Document uploads, downloads, and deletions
• API access and usage patterns
• Administrative actions and configuration changes
• Logs retained for 90 days (Pro) or 1 year (Enterprise)

7. Employee Security & Access Control

7.1 Employee Background Checks

All employees with access to customer data undergo:

• Comprehensive background checks before employment
• Signed confidentiality and data protection agreements
• Regular security awareness training
• Annual security policy reviews and acknowledgments

7.2 Access Control

Employee access to systems and data is strictly controlled:

• Principle of Least Privilege: Employees only have access to data necessary for their role
• Multi-Factor Authentication: Required for all system access
• Access Reviews: Quarterly reviews of employee access permissions
• Immediate Revocation: Access removed immediately upon termination
• Audit Trails: All employee access to customer data is logged

7.3 Customer Data Access

We never access your data without explicit permission, except:

• When you request technical support and grant permission
• To investigate and resolve reported issues
• As required by law or legal process
• To prevent or address security incidents

All customer data access is logged and reviewed by our security team.

8. Physical & Environmental Security

8.1 Data Center Security

Our infrastructure runs in enterprise-grade data centers with:

• 24/7 on-site security personnel
• Biometric access controls
• Video surveillance and monitoring
• Redundant power supplies and cooling systems
• Fire suppression systems
• Geographic redundancy for disaster recovery

8.2 Business Continuity

We maintain comprehensive business continuity and disaster recovery plans:

• Automated Backups: Continuous database backups with point-in-time recovery
• Geographic Redundancy: Data replicated across multiple regions
• Failover Systems: Automatic failover for critical services
• Recovery Time Objective (RTO): 4 hours for critical systems
• Recovery Point Objective (RPO): 1 hour maximum data loss
• Regular Testing: Disaster recovery procedures tested quarterly

9. Your Security Responsibilities

While we provide enterprise-grade security, your cooperation is essential:

• Keep Credentials Secure: Never share your account credentials or API keys
• Use Strong Authentication: Use unique passwords and enable MFA when available
• Monitor Account Activity: Regularly review your account for unauthorized access
• Report Suspicious Activity: Immediately report any security concerns to info@quixyl.com
• Keep Software Updated: Use up-to-date browsers and operating systems
• Secure Your Devices: Protect devices used to access Quixyl with encryption and antivirus
• Follow Best Practices: Implement security best practices in your organization

10. Security Reporting & Contact

10.1 Responsible Disclosure

If you discover a security vulnerability, we appreciate responsible disclosure:

• Email details to info@quixyl.com
• Include detailed steps to reproduce the vulnerability
• Allow us reasonable time to address the issue before public disclosure
• We commit to acknowledging reports within 24 hours

10.2 Security Contact

For security-related inquiries:

10.3 Updates to This Policy

We may update this Security Policy to reflect changes in our security practices or regulatory requirements. Material changes will be communicated via:

• Email notification to registered users
• Prominent notice on our website
• In-app notifications