QQBIQAL
Security First

Security Overview

How Qbiqal protects your data — infrastructure security, encryption standards, access controls, vulnerability management, and incident response.

Last updated: May 12, 2026

Our Security Commitment

Security is built into every layer of the Qbiqal platform — from infrastructure choices to code review practices. We handle sensitive business data, and we take that responsibility seriously.

To report a security vulnerability, email [email protected] with subject “Security Disclosure”. We respond to all security reports within 24 hours.

Security Features

🔐
Encryption at Rest
All databases encrypted with AES-256-GCM. Sensitive credentials (API keys, secrets) are double-encrypted before storage.
🔒
Encryption in Transit
TLS 1.2+ enforced on all endpoints. HTTP Strict Transport Security (HSTS) enabled. No plaintext data transmission.
🛡️
Multi-Tenant Isolation
Strict tenant isolation at the database level using Row-Level Security. No data leakage between workspaces.
🔑
Authentication & 2FA
JWT with 15-min access tokens and 7-day refresh tokens. TOTP 2FA available for all accounts. Rate limiting on auth endpoints.
📋
Immutable Audit Logs
All critical operations are logged immutably with actor, timestamp, and IP. Audit logs retained for 90 days.
🚨
Incident Response
Dedicated incident response process with 72-hour breach notification. Security issues reported to [email protected].

Infrastructure

  • Hosting: Hetzner Cloud, Germany (EU) — ISO 27001 certified data centers.
  • CDN & DDoS Protection: Cloudflare — all traffic routed through Cloudflare's network.
  • Database: PostgreSQL with PgBouncer connection pooling in transaction mode.
  • Object Storage: Cloudflare R2 with server-side encryption.
  • Secrets Management: All secrets stored encrypted, rotated periodically.
  • Container Security: Docker images scanned for vulnerabilities before deployment.

Access Controls

  • Principle of least privilege for all internal access.
  • Role-based access control (RBAC) at workspace and platform level.
  • No Qbiqal employee can access your workspace data without explicit support request.
  • Production database access restricted to automated systems — no direct developer access.
  • All access events are logged with actor, timestamp, and origin IP.

Vulnerability Management

  • Regular dependency audits using automated vulnerability scanning.
  • Critical security patches applied within 24 hours of disclosure.
  • Code review required for all changes to authentication, billing, and data access layers.
  • Responsible disclosure program — we welcome security researchers.

Incident Response

In the event of a security incident affecting customer data:

  • Incident contained and assessed within 4 hours of detection.
  • Affected customers notified within 72 hours per DPDP Act requirements.
  • Post-incident report published to affected customers within 14 days.

Report security issues: [email protected] · +91 74392 87439

Compliance

  • Indian DPDP Act 2023 — full compliance for Data Fiduciary obligations.
  • GST-compliant invoicing and record-keeping.
  • Data residency options available for Enterprise customers on request.