Security & Compliance
Your data, protected.
queri is built for teams that handle sensitive client and company data. Here is exactly how we protect it.
✓SOC 2 (via providers)
✓ISO 27001 (via providers)
✓AES-256 Encryption
✓TLS 1.2+
✓GDPR Ready
Infrastructure
- ✓Hosted on Vercel (SOC 2 Type II, ISO 27001) with global edge network
- ✓Database on Supabase/AWS (SOC 2 Type II, AES-256 encryption at rest)
- ✓AI compute on Modal (SOC 2 Type II, dedicated GPU infrastructure)
- ✓Vector storage on Pinecone (SOC 2 Type II, enterprise-grade)
- ✓All infrastructure providers maintain independent security certifications
Data Handling
- ✓Row-level security (RLS) enforced on all database tables
- ✓Encryption at rest (AES-256) and in transit (TLS 1.2+)
- ✓Data residency in the United States (US-East, US-West)
- ✓Customer data is never used to train AI models
- ✓Document content is processed and indexed, then stored encrypted
- ✓Automatic data retention policies with configurable expiry
Access Controls
- ✓Authentication via Supabase Auth with secure session management
- ✓Role-based access control (RBAC): admin and member roles
- ✓Multi-factor authentication (MFA) — coming soon
- ✓SSO/SAML support on Business tier
- ✓API keys with granular scoping and rotation
- ✓Audit logs for all administrative actions
AI & Model Security
- ✓Customer data is never used to train or fine-tune AI models
- ✓All AI responses are grounded in your documents with citations
- ✓Prompt injection defense with input sanitization and output filtering
- ✓PII scanning and redaction capabilities
- ✓Model outputs are not shared across organizations
- ✓Support for BYOK (bring your own LLM key) on Business tier
Application Security
- ✓Security headers enforced (CSP, HSTS, X-Frame-Options, etc.)
- ✓Rate limiting on all API endpoints
- ✓Input validation and sanitization on all user inputs
- ✓Static application security testing (SAST) in CI/CD pipeline
- ✓Automated dependency vulnerability monitoring
- ✓Regular security reviews and penetration testing
Compliance
- ✓Data Processing Agreement (DPA) available on request
- ✓GDPR-ready with data export and deletion capabilities
- ✓Sub-processor list maintained and updated (see below)
- ✓Privacy-by-design architecture
- ✓Regular compliance reviews against evolving regulations
Incident Response
- ✓Documented incident response procedures
- ✓Breach notification within 72 hours per GDPR requirements
- ✓Status page for real-time service availability
- ✓Post-incident reports shared with affected customers
- ✓24/7 monitoring and automated alerting
Organizational Security
- ✓Responsible disclosure policy for security researchers
- ✓Security awareness training for all team members
- ✓Principle of least privilege for internal access
- ✓Background checks for team members with data access
- ✓Contact: security@queri.so for security inquiries
Sub-processors
The following third-party services process data on behalf of queri. All sub-processors maintain independent security certifications.
| Provider | Purpose | Location | Certifications |
|---|---|---|---|
| Vercel | Application hosting & edge network | United States | SOC 2 Type II, ISO 27001 |
| Supabase (AWS) | Database & authentication | United States | SOC 2 Type II |
| OpenAI | Large language model inference | United States | SOC 2 Type II |
| Anthropic | Large language model inference | United States | SOC 2 Type II |
| Pinecone | Vector database for semantic search | United States | SOC 2 Type II |
| Modal | AI compute infrastructure | United States | SOC 2 Type II |
| Resend | Transactional email | United States | SOC 2 Type II |
| PostHog | Product analytics | United States / EU | SOC 2 Type II |
Questions about security?
Reach out to our security team. We are happy to discuss your requirements, provide our DPA, or schedule a security review.