Security

Last updated: March 30, 2026

At QuoteDeck, security is fundamental to our platform. As a B2B quoting and proposal tool handling sensitive pricing, customer, and financial data, we take a comprehensive approach to protecting your information. This page describes our security practices and commitments.

Encryption

Data in Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints with no fallback to unencrypted connections. API communications between our frontend and backend services are also encrypted in transit.

Data at Rest

All data stored in our databases and file storage systems is encrypted at rest using AES-256 encryption. This includes your business data, customer records, quotes, proposals, and uploaded documents. Database backups are also encrypted.

Authentication and Access Control

User Authentication

QuoteDeck uses Laravel Sanctum for session-based authentication with secure, HTTP-only cookies. Passwords are hashed using bcrypt with appropriate cost factors. We support session management with automatic expiration of inactive sessions.

Role-Based Access Control (RBAC)

The platform implements granular role-based access control with four distinct roles: super admin, admin, manager, and sales rep. Each role has carefully defined permissions that limit access to only the features and data appropriate for that role. Sales representatives can only access data within their assigned territories.

API Security

All API endpoints require authentication and enforce authorization checks. Form requests validate and sanitize all input data. Rate limiting is applied to prevent abuse. Public endpoints, such as the proposal signing portal, use secure, time-limited tokens rather than predictable identifiers.

Infrastructure

Hosting

QuoteDeck is hosted on Amazon Web Services (AWS), leveraging their enterprise-grade security infrastructure. AWS maintains compliance with numerous security standards including SOC 1/2/3, ISO 27001, and PCI DSS Level 1. Our infrastructure is deployed in US-based data centers.

Network Security

Our infrastructure uses security groups and network access control lists to restrict traffic to only necessary ports and protocols. Database servers are not directly accessible from the public internet. We use managed services where possible to reduce our attack surface.

Backups

Automated database backups are performed regularly and stored in encrypted, geographically separate locations. Backups are tested periodically to ensure data can be restored when needed.

Multi-Tenant Data Isolation

QuoteDeck is a multi-tenant platform where each dealer organization ("tenant") operates in a logically isolated environment. Data isolation is enforced at the application layer through automatic query scoping. Every database query is automatically filtered by tenant ID, ensuring that one organization can never access another's data. This isolation is applied consistently across all models, API endpoints, and background processes.

Third-Party Security

We carefully evaluate the security practices of all third-party services we integrate with:

• Stripe (payment processing) is PCI DSS Level 1 certified. We never store or process full credit card numbers on our servers.
• Resend (email delivery) provides encrypted email transport and handles transactional email delivery securely.
• OpenRouter / Google Gemini (AI features) process conversation data to power our AI assistant. We do not send sensitive financial data to AI providers unless explicitly initiated by the user through the Launchpad interface.
• AWS S3 (file storage) provides encrypted, access-controlled storage for uploaded documents and generated files.

Application Security Practices

• Input Validation: All user input is validated and sanitized using Laravel Form Requests before processing.
• SQL Injection Prevention: We use parameterized queries through Laravel's Eloquent ORM and query builder.
• Cross-Site Scripting (XSS) Prevention: Output encoding is applied through React's built-in escaping and server-side sanitization.
• Cross-Site Request Forgery (CSRF) Protection: CSRF tokens are required for all state-changing requests.
• Dependency Management: We regularly update dependencies and monitor for known vulnerabilities.

Monitoring and Incident Response

Monitoring

We monitor our infrastructure and application for anomalies, errors, and potential security events. Logging is implemented throughout the application with structured, contextual log entries. Automated alerts notify our team of unusual activity or system issues.

Incident Response

In the event of a security incident, we follow a structured response process:

1. Identification: Detect and assess the scope and severity of the incident.
2. Containment: Take immediate action to limit the impact and prevent further damage.
3. Notification: Notify affected customers within 72 hours of confirmed incidents involving their data, as required by applicable law.
4. Remediation: Address the root cause and implement measures to prevent recurrence.
5. Review: Conduct a post-incident review and update security measures as needed.

Compliance Commitments

We are committed to meeting the security expectations of our dealer customers. Our current compliance posture includes:

• Hosting on AWS infrastructure that maintains SOC 2, ISO 27001, and PCI DSS compliance
• Payment processing through PCI DSS Level 1 certified Stripe
• Regular security reviews and dependency updates
• Data encryption in transit and at rest
• Role-based access controls and multi-tenant data isolation

We are actively working toward achieving SOC 2 Type II certification for our own organization and will update this page as we reach new milestones.

Responsible Disclosure

If you discover a security vulnerability in QuoteDeck, we ask that you report it responsibly. Please email security@quotedeck.io with details of the vulnerability. We commit to:

• Acknowledging your report within 2 business days
• Providing an initial assessment within 5 business days
• Working with you to understand and resolve the issue
• Not pursuing legal action against good-faith security researchers

Questions

If you have questions about our security practices or need additional information for your organization's security review, please contact us:

• Security inquiries: security@quotedeck.io
• General inquiries: hello@quotedeck.io