Security

Enterprise-grade protection for financial data

Quadesto is built with security-first architecture. Financial data demands the highest standard of protection, and every layer of the platform is designed to meet that standard — from encrypted credential storage to network-level controls.

How does Quadesto protect your data?

Quadesto encrypts all stored credentials using AES-256-GCM with per-record random initialization vectors. Data in transit is protected by TLS 1.3. Every database table enforces Postgres Row-Level Security (RLS) policies, ensuring strict tenant isolation. API credentials are decrypted only server-side and never reach the browser. All endpoints are rate limited via Redis-backed sliding window counters. The platform runs on dedicated infrastructure with no shared tenancy for sensitive operations, and security headers including HSTS, Content-Security-Policy, and Permissions-Policy are applied to every response.

Encryption at rest and in transit

All sensitive data stored by Quadesto is encrypted at rest using AES-256-GCM, the same encryption standard used by banks and government agencies. Each credential record is encrypted with a unique random initialization vector (IV) and includes an authentication tag to detect tampering. The encryption key is stored as an environment variable on the server, never in the database.

Data files uploaded to the platform are stored in encrypted object storage. Temporary caches use encrypted Redis instances with automatic TTL-based expiry, ensuring that cached data does not persist beyond its useful lifetime.

All data in transit between clients and Quadesto servers is encrypted using TLS 1.3 with modern cipher suites. HTTP Strict Transport Security (HSTS) headers ensure that browsers only communicate over HTTPS, and certificate transparency logs provide an additional layer of verification. Connections to external data providers are also encrypted, and the platform verifies TLS certificates before establishing any outbound connection.

Access control and authentication

Quadesto uses Supabase Auth for user authentication, issuing signed JWTs (JSON Web Tokens) on login. Tokens are short-lived and refreshed automatically. Sessions are managed server-side with secure, httpOnly cookies to prevent client-side token theft via XSS.

Every database table has Postgres Row-Level Security (RLS) policies enforced at the database layer. This means that even if an application-level vulnerability were exploited, the database itself prevents any user from reading or writing another tenant's data. RLS policies are not optional middleware — they are enforced by Postgres on every query, regardless of how the query is issued.

Team workspaces support role-based access control. Workspace owners can invite team members with specific permission levels. Member permissions determine access to workspace settings, data source configuration, and credential management. Permission checks are enforced server-side on every API route, not just in the UI.

API credential security

When you connect an external data provider — such as a financial API, database, or webhook — your credentials are encrypted immediately upon receipt using AES-256-GCM and stored in an encrypted credential vault. The plaintext credential exists in server memory only for the duration of the encryption operation.

Credentials are decrypted only server-side when needed to fetch data on your behalf. They are never sent to the browser, never included in API responses, and never logged. The client application has no mechanism to retrieve the raw credential value — it can only reference credentials by ID.

To prevent server-side request forgery (SSRF), all outbound requests initiated by the platform are validated against a deny list of private IP ranges, loopback addresses, link-local addresses, and known internal hostnames. DNS resolution is performed and checked before the HTTP request is made, preventing DNS rebinding attacks where a hostname initially resolves to a public IP but later resolves to an internal address.

Infrastructure security

Quadesto runs on dedicated infrastructure using a self-hosted Supabase deployment. This means your data is not stored on shared multi-tenant database clusters managed by a third party. The Postgres instance, authentication service, and object storage are all deployed on infrastructure controlled by Quadesto.

All API endpoints are protected by Redis-backed rate limiting using sliding window counters. Rate limits survive container restarts and work correctly across multiple application instances. AI-powered endpoints, such as analysis and chat, have separate per-user rate limits to prevent credit abuse and ensure fair usage across all accounts.

The infrastructure is deployed on European data centers with automated backups and monitoring. Container orchestration handles automatic restarts and health checks, ensuring high availability without manual intervention.

Application security

Every HTTP response from Quadesto includes a comprehensive set of security headers. Strict-Transport-Security (HSTS) ensures browsers only connect over HTTPS. Content-Security-Policy (CSP) restricts which scripts, styles, and resources can load, mitigating cross-site scripting (XSS) attacks. X-Content-Type-Options prevents MIME type sniffing. X-Frame-Options and frame-ancestors directives prevent clickjacking by controlling which sites can embed Quadesto pages — with an exception for the embed feature, which allows framing only for published views.

Referrer-Policy is set to restrict referrer information sent to external sites, and Permissions-Policy disables access to browser features that Quadesto does not use, such as camera, microphone, and geolocation.

All API error responses are sanitized before being sent to the client. Database constraint names, internal table structures, stack traces, and implementation details are stripped from error responses and logged server-side only. This prevents information leakage that could help an attacker understand the internal architecture. Input validation is performed server-side on all API routes, and user-provided content is sanitized before storage and rendering.

Data handling and privacy

Quadesto does not sell, share, or monetize your data. Your financial data is yours. The platform processes your data only to provide the visualization, analysis, and collaboration features you use. Data fetched from external providers is cached with configurable TTL (time-to-live) values to reduce unnecessary API calls, and cached data is automatically purged when the TTL expires.

You retain full control over your data at all times. You can delete individual data sources, workspaces, or your entire account. When you delete data, it is removed from the database and any associated caches. Deleted data is not retained for analytics or training purposes.

The platform is designed with GDPR awareness. Data is processed and stored in European data centers. Users can export their data and request complete account deletion. No tracking pixels or third-party analytics services are used to profile user behavior within the application.

Security practices

AES-256-GCM

All credentials and sensitive data encrypted at rest with per-record random IVs

TLS 1.3

All data in transit encrypted via TLS 1.3 with modern cipher suites

Row-level security

Postgres RLS on every table prevents cross-tenant data access

SSRF protection

DNS resolution checks block requests to private IP ranges and internal hosts

Rate limiting

Redis-backed sliding window counters on all API endpoints

Team permissions

Role-based access control with owner, admin, and member roles

Security headers

HSTS, CSP, X-Frame-Options, and Permissions-Policy on all routes

Input validation

Server-side validation on all inputs with sanitized error responses

No shared tenancy

Dedicated infrastructure with isolated credential storage per account

SOC2 alignment

While Quadesto does not currently hold SOC2 certification, the security architecture is designed to meet SOC2 Type II requirements across all trust service criteria: security, availability, processing integrity, confidentiality, and privacy. Every control described on this page is implemented in production, not aspirational.

If your organization requires specific compliance documentation or has questions about how a particular control is implemented, we are available to discuss your requirements in detail.

Questions about security?

If you have questions about Quadesto's security practices, need compliance documentation, or want to report a vulnerability, contact our team directly.

Contact [email protected]