Security at QwicKeys

Security is a core part of how QwicKeys is built and operated. This page explains how we protect your data, secure access to the platform, and respond when something goes wrong.

QwicKeys is built on a managed cloud stack. We do not operate physical servers or bare-metal infrastructure — instead, we rely on providers with established security certifications and dedicated security teams.

• Database & Auth: Supabase (hosted on AWS, US region). Supabase is SOC 2 Type II compliant.
• Frontend hosting: Netlify. All traffic served over HTTPS with automatic SSL certificates.
• Transactional email: Resend. Used only for account invites and password resets.
• Payments: Stripe. We never store credit card data — all payment processing is handled entirely by Stripe.
• Error monitoring: Sentry. Captures JavaScript errors in the app and extension.

All data handled by QwicKeys is encrypted both in transit and at rest:

• In transit: All communication between your browser, the extension, and our servers uses TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS.
• At rest: Supabase encrypts all stored data using AES-256, including your shortkey content, account data, and usage analytics.
• Passwords: We never store plaintext passwords. Authentication is managed by Supabase Auth, which uses bcrypt hashing.

Access to data within QwicKeys is strictly scoped by organization and role:

• Row-Level Security (RLS): All database queries are filtered at the Supabase level — users can only read and write data that belongs to their own organization, enforced by database policies, not just application logic.
• Role-based permissions: Admins, Superusers, and standard Users have clearly defined access levels. Users cannot view or modify data outside their assigned role.
• Session tokens: Authentication tokens are short-lived and refreshed automatically. Logging out invalidates the session immediately.
• No cross-org access: No QwicKeys customer can access another organization's data under any circumstances.

The QwicKeys browser extension is designed with a minimal-access principle:

• It detects only the specific trigger prefix you type (e.g. ;;) — it does not log keystrokes, capture screenshots, or read page content
• It communicates exclusively with Supabase over HTTPS to fetch your shortkey list and record expansion events
• It stores your session token locally in Chrome's secure extension storage — not in cookies or localStorage
• It requests only the permissions required to function: activeTab, storage, and broad host permissions to enable expansion in any web app
• No data is sold, shared, or transmitted to any third party other than Supabase

In the event of a security incident affecting customer data, we commit to the following:

• Detection: Automated error monitoring via Sentry alerts us to anomalies in real time
• Containment: Affected systems are isolated as quickly as possible to limit the scope of any breach
• Notification: Affected customers will be notified by email within 72 hours of confirming that a breach has occurred
• Remediation: We will patch the root cause, rotate any compromised credentials, and document what happened
• Post-incident: A summary of the incident, its impact, and the steps taken will be shared with affected organizations

Current system status:

We take security reports seriously and ask that you follow responsible disclosure practices:

• If you discover a potential vulnerability, please contact us privately at the email below before disclosing it publicly
• Provide enough detail for us to reproduce and investigate the issue (steps, environment, screenshots if applicable)
• We will acknowledge your report within 2 business days and aim to resolve confirmed issues within 14 days
• We ask that you do not access, modify, or delete data that is not your own during testing

For security concerns, vulnerability reports, or questions about our practices: