Trust
Security at QuickPly
What we do to keep your workspace, your customers' email content, and your OAuth credentials safe.
Encryption everywhere
TLS 1.2+ in transit. Supabase-managed AES-256 disk encryption at rest. OAuth refresh tokens additionally encrypted at the column level via pgcrypto with a key not stored in the application database.
Workspace isolation
Every workspace-scoped row is gated by Postgres row-level security. Cross-tenant queries fail at the database layer, not the application layer.
Two-factor authentication
TOTP MFA available to every account from Settings → Security. We strongly recommend turning it on; enterprise plans can require it for the whole workspace.
Audit log
Security-sensitive events — billing changes, integration connects, role updates, workspace deletes — are written to an append-only audit_log table that owners and admins can review.
Rate limiting & abuse protection
Sign-in, sign-up, password-reset, AI generation, and the public API are all rate-limited with sliding-window counters. Webhook events are signature-verified and de-duplicated. The public Bearer API enforces per-key plan quotas.
Least-privilege engineering
Production console access is two-person, MFA-required, audited. Service-role database keys never touch client code. Routes that need elevation chain workspace_id on every mutation as defense-in-depth.
Vulnerability reports
Send to security@quickply.com or via /.well-known/security.txt. We respond within one business day and credit reporters in our changelog where appropriate.
Compliance roadmap
We're a beta-stage product running production-grade controls but without a finished SOC 2 Type II report yet. Engagement with a SOC 2 vendor is on the roadmap; if you need the audit before purchase, talk to us.
Sub-processors
Third parties we rely on to operate the service. We notify account owners 30 days before adding any new sub-processor that handles customer data.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database, Auth, file storage | US, EU on Enterprise |
| Groq | LLM inference | US |
| Dodo Payments | Subscription billing | US |
| Gmail OAuth (when enabled) | US | |
| Vercel | Hosting, edge networking | Global / US origin |
| Sentry | Error monitoring (cookies + auth scrubbed) | US |
Data Processing Addendum
Standing offer DPA with SCCs and UK IDTA addendum. Counter-signed copies on request.
Privacy Policy
What we collect, why, and how to exercise GDPR / CCPA rights.
Found something?
Report security issues to security@quickply.com. We respond within one business day. Please don't perform tests that could degrade availability for other customers.