QuestionCraft Security Practices

Last Updated: 11/17/25

Introduction

At QuestionCraft, security is fundamental to everything we build. This document outlines our security practices, commitments, and the measures we take to protect your data and ensure the integrity of our platform.

Our Security Promise:

We implement industry-standard security practices
We continuously monitor and improve our security posture
We are transparent about our security measures
We respond quickly and responsibly to security incidents

1. Infrastructure Security

1.1 Hosting and Cloud Infrastructure

Primary Hosting:

Platform: Vercel (SOC 2 Type II certified)
Infrastructure: AWS and Google Cloud
CDN: Cloudflare (DDoS protection and WAF)
Database: Supabase (built on PostgreSQL, SOC 2 Type II certified)

Why We Chose These Providers:

SOC 2 Type II compliance (audited security controls)
Proven track record with security-conscious companies
99.9%+ uptime SLAs
Geographic redundancy and disaster recovery
DDoS protection and mitigation
Regular security audits and penetration testing

1.2 Network Security

Protection Measures:

TLS/SSL Encryption: All data in transit uses HTTPS with TLS 1.3
DDoS Protection: Cloudflare shields against volumetric attacks
Web Application Firewall (WAF): Blocks common attack patterns
Rate Limiting: Prevents brute force and abuse attempts
IP Blocking: Automatic blocking of malicious IPs
Geolocation Controls: Optional restrictions based on location

Network Monitoring:

Real-time monitoring for suspicious traffic patterns
Automated alerts for anomalous activity
Regular review of access logs
Intrusion detection systems (IDS)

1.3 Server Security

Hardening Measures:

Minimal attack surface (only necessary services running)
Regular security patches and updates (automated where possible)
Firewall rules restricting access to essential ports only
No SSH access to production servers (infrastructure-as-code deployment)
Isolated environments (development, staging, production)

2. Data Security

2.1 Encryption

Data in Transit:

TLS 1.3 for all HTTPS connections
Certificate Pinning to prevent man-in-the-middle attacks
HSTS (HTTP Strict Transport Security) enabled
Perfect Forward Secrecy to protect past communications

Data at Rest:

AES-256 encryption for sensitive data in database
Encrypted backups with separate encryption keys
Secure key management using cloud provider key management services
Passwords never stored in plain text (bcrypt hashing with salt)

API Keys and Secrets:

Encrypted at rest in secure vaults
Never logged or exposed in error messages
Rotated regularly (recommended every 90 days)
Separate keys for development, staging, and production

2.2 Data Minimization

We Only Collect What We Need:

Minimal personal information required for account creation
No collection of sensitive data (SSN, health data, biometrics)
Optional fields remain optional
Regular audits to remove unnecessary data collection

Data Retention:

Active accounts: Data retained as long as needed to provide Service
Deleted accounts: Personal data purged within 30 days
Backups: Encrypted backups retained for 90 days (disaster recovery)
Logs: Anonymized after 90 days; detailed logs deleted after 180 days

2.3 Database Security

Access Controls:

Principle of Least Privilege: Users/services access only what they need
Role-Based Access Control (RBAC): Granular permissions
No direct database access: All queries through API layer
Connection pooling with encrypted connections only

Data Integrity:

Regular backups (automated daily, with point-in-time recovery)
Backup testing (monthly restore tests to verify integrity)
Geographic redundancy (backups in multiple regions)
Checksums and validation to detect corruption

Database Hardening:

Parameterized queries to prevent SQL injection
Input validation at application layer
Database firewall restricting access to application servers only
Audit logging of all database access

3. Application Security

3.1 Secure Development Practices

Code Security:

Security-focused code reviews before deployment
Dependency scanning for known vulnerabilities (automated)
Static application security testing (SAST) in CI/CD pipeline
Secrets scanning to prevent accidental credential commits

Development Workflow:

Separate environments: Development → Staging → Production
Infrastructure as Code (IaC): Version-controlled infrastructure
Automated testing: Unit tests, integration tests, security tests
Manual penetration testing: Annual third-party security audits

Secure Dependencies:

Automated updates for security patches
Vulnerability alerts via GitHub/Dependabot
Minimal dependencies (reduce attack surface)
Trusted sources only (npm, PyPI official registries)

3.2 Input Validation and Sanitization

Protecting Against Injection Attacks:

SQL Injection: Parameterized queries, ORM usage
Cross-Site Scripting (XSS): HTML encoding, Content Security Policy (CSP)
Command Injection: Whitelist validation, no shell execution of user input
Path Traversal: Strict path validation, chroot environments

Input Validation:

Server-side validation (never trust client-side validation alone)
Type checking (ensure inputs match expected types)
Length limits (prevent buffer overflows)
Character whitelisting (allow only safe characters)

3.3 Authentication and Session Management

Password Security:

Bcrypt hashing with per-user salt (cost factor 12+)
Minimum password requirements (8+ characters, complexity)
Password strength meter to guide users
No password hints or security questions (vulnerable to guessing)

Multi-Factor Authentication (MFA):

Available for all users (optional for Free, encouraged for paid tiers)
TOTP-based (time-based one-time passwords)
Backup codes provided during MFA setup
Recovery process for lost MFA devices

Session Security:

Secure session cookies (HttpOnly, Secure, SameSite flags)
Session expiration (30 days for "remember me", 24 hours otherwise)
Concurrent session limits (optional enforcement)
Session invalidation on password change or logout

Account Security Features:

Login notifications (email alerts for new device logins)
Failed login attempt throttling (rate limiting)
Account lockout after repeated failed attempts
Password reset tokens (time-limited, single-use)

3.4 Authorization and Access Control

Principle of Least Privilege:

Users access only their own data
API keys scoped to specific permissions
Role-based access control (user, admin, support)

Data Isolation:

Multi-tenancy isolation (strict data separation between accounts)
Row-level security (RLS) in database (Supabase Postgres policies)
No cross-account data leakage (extensive testing)

API Security:

Authentication required for all API endpoints (except public docs)
Rate limiting per API key and per user
API versioning to maintain compatibility during updates
Input validation on all API requests

4. Third-Party Security

4.1 AI Provider Security

API Communication:

Encrypted API calls (HTTPS/TLS only)
API keys stored securely (encrypted vaults, not in code)
No user credentials shared (AI providers see our keys, not your account)
Limited data sent (only question text, not your account information)

Provider Selection Criteria:

SOC 2 compliance or equivalent
Strong security and privacy track record
Regular security audits
Transparent incident response

Current AI Providers:

OpenAI (SOC 2 Type II)
Anthropic (SOC 2 Type II)
Google (ISO 27001, SOC 2)
Others meet equivalent security standards

4.2 Payment Security

Stripe Integration:

PCI DSS Level 1 certified (highest level of payment security)
We never see full credit card details (tokenization)
Stripe.js (payment form hosted by Stripe, not on our servers)
3D Secure support for added fraud protection

What We Store:

Last 4 digits of card (for display purposes only)
Stripe customer ID (encrypted)
Transaction history (for billing and accounting)
We do NOT store: Full card numbers, CVV, expiration dates

4.3 Service Provider Security

Vendor Requirements:

SOC 2 Type II or equivalent certification
GDPR/CCPA compliance
Data Processing Agreements (DPAs) in place
Regular security audits
Incident response procedures

Regular Vendor Reviews:

Annual security assessment of all vendors
Monitoring vendor security certifications
Evaluating alternatives if security posture declines

5. Monitoring and Incident Response

5.1 Security Monitoring

Real-Time Monitoring:

Application Performance Monitoring (APM): Sentry for errors and exceptions
Log aggregation: Centralized logging for security event correlation
Anomaly detection: Alerts for unusual access patterns
Uptime monitoring: 24/7 availability checks

Automated Alerts:

Failed login attempts (brute force detection)
Unusual API usage patterns
Database query anomalies
Infrastructure alerts (CPU, memory, disk usage)
SSL certificate expiration warnings

Security Audits:

Daily: Automated vulnerability scans
Weekly: Review of access logs and security events
Monthly: Security metrics review and trend analysis
Annually: Third-party penetration testing and security audit

5.2 Incident Response

Our Incident Response Plan:

1. Detection and Triage (0-1 hour):

Automated alerts trigger incident response
Security team triages severity (critical, high, medium, low)
Communication channels activated (Slack, PagerDuty)

2. Containment (1-4 hours):

Isolate affected systems
Prevent further data access or exposure
Preserve evidence for investigation

3. Investigation (4-24 hours):

Determine root cause
Assess scope of impact
Identify affected users and data

4. Remediation (24-72 hours):

Patch vulnerabilities
Restore systems from backups if needed
Implement additional security controls

5. Communication (Throughout):

Internal stakeholders notified immediately
Affected users notified within 72 hours (if PII exposed)
Regulatory authorities notified as required by law

6. Post-Incident Review (Within 2 weeks):

Root cause analysis
Lessons learned documentation
Security improvements implemented

5.3 Data Breach Response

If a data breach occurs affecting your personal information:

Within 72 hours, we will:

Notify you via email to your registered address
Describe the nature and scope of the breach
Explain what data was accessed or disclosed
Outline steps we are taking to address the breach
Advise on steps you can take to protect yourself

We will also:

Notify relevant regulatory authorities (GDPR, CCPA requirements)
Engage forensic experts if needed
Provide updates as investigation progresses
Offer credit monitoring or identity protection (if appropriate)

What you should do:

Change your QuestionCraft password immediately
Enable MFA if not already active
Monitor your accounts for suspicious activity
Review the breach notification for specific guidance

6. Employee Access and Training

6.1 Access Controls

Principle of Least Privilege:

Employees access only systems necessary for their role
No default admin access
Access requests reviewed and approved by security team

Access Management:

Onboarding: Access provisioned based on role
Role changes: Access updated promptly
Offboarding: Access revoked immediately upon termination
Periodic reviews: Quarterly access audits

Sensitive Data Access:

Customer data: Accessible only for support tickets (with audit logs)
Payment data: Not accessible (handled by Stripe)
Audit logs: All data access logged and reviewable

6.2 Security Training

Mandatory Training:

Security awareness training during onboarding
Annual security refresher courses
Phishing simulation exercises
Incident response procedures

Topics Covered:

Data privacy and protection
Secure coding practices
Social engineering awareness
Password and MFA best practices
Incident reporting procedures

6.3 Background Checks

For Employees with Data Access:

Background checks conducted (where legally permitted)
Signed confidentiality agreements
GDPR/CCPA training for those handling EU/CA data

7. Compliance and Certifications

7.1 Current Compliance

Privacy Regulations:

GDPR (General Data Protection Regulation) - EU
CCPA (California Consumer Privacy Act) - California
COPPA (Children's Online Privacy Protection Act) - Age restrictions

Security Standards:

Aligned with OWASP Top 10 security best practices
Following NIST Cybersecurity Framework guidelines
Working toward SOC 2 Type II certification (planned for Year 1)

7.2 Planned Certifications

SOC 2 Type II (Year 1 Goal):

Third-party audit of security controls
Demonstrates commitment to security best practices
Required for many enterprise customers

ISO 27001 (Future):

International standard for information security management
Comprehensive security framework
Considered once we reach scale

7.3 Compliance Documentation

Available Upon Request (for Enterprise customers):

Data Processing Agreement (DPA)
Business Associate Agreement (BAA) for HIPAA (if applicable)
Standard Contractual Clauses (SCCs) for GDPR
Security questionnaire responses
Proof of insurance (cyber liability, errors & omissions)

8. User Security Responsibilities

8.1 Account Security

You are responsible for:

Choosing a strong, unique password
Enabling multi-factor authentication (MFA)
Keeping your password confidential
Not sharing account credentials
Notifying us immediately of unauthorized access

Best Practices:

Use a password manager (1Password, Bitwarden, LastPass)
Enable MFA for enhanced security
Don't reuse passwords across sites
Log out from shared or public computers

8.2 API Key Security

If you use QuestionCraft API (Master/Architect tiers):

Store API keys securely (environment variables, secret managers)
Never commit API keys to public repositories (Git)
Rotate keys regularly (recommended every 90 days)
Revoke keys immediately if compromised
Use separate keys for development/staging/production

8.3 Data Protection

Protect Your Data:

Don't submit sensitive personal data (SSN, health info) in questions
Be cautious about confidential business information
Remember AI responses may not be perfect (verify important information)
Export and back up important question history

9. Transparency and Communication

9.1 Security Updates

How We Communicate:

Security advisories posted at https://questioncraft.ai/security/advisories
Critical security updates via email to all users
Status page for service incidents: https://status.questioncraft.ai
Regular security newsletter (optional subscription)

What We Share:

High-level description of security improvements
Transparency about incidents (after resolution)
Tips for protecting your account
Industry security trends and best practices

What We Don't Share:

Specific vulnerabilities before patches are deployed
Details that could aid attackers
Sensitive security configurations

9.2 Responsible Disclosure

We Welcome Security Researchers:

Report vulnerabilities to: security@questioncraft.ai
We commit to acknowledging reports within 48 hours
We will not take legal action against good-faith security research
We credit researchers in our security advisories (with permission)

What to Include in Reports:

Description of the vulnerability
Steps to reproduce
Potential impact
Suggested remediation (optional)
Your contact information (for follow-up)

What Qualifies as Responsible Disclosure:

Give us reasonable time to fix (typically 90 days)
Don't exploit the vulnerability beyond proof-of-concept
Don't disclose publicly until we've patched
Don't access or modify user data without permission

Bug Bounty Program:

Currently informal (direct email reports)
Formal program planned once we reach scale
Public acknowledgment and swag for confirmed vulnerabilities
Monetary rewards for critical vulnerabilities (future)

10. International Security

10.1 Data Residency

Primary Data Center: United States (AWS us-east-1)
Backup Locations: US and EU regions (geographic redundancy)
Compliance: GDPR-compliant data transfers (Standard Contractual Clauses)

10.2 Cross-Border Transfers

For EU/EEA Users:

Data may be transferred to US for processing
We use Standard Contractual Clauses (SCCs) approved by EU Commission
Adequate safeguards in place per GDPR Article 46

For All International Users:

Data encrypted in transit across borders
Compliance with local data protection laws
Transparency about where data is stored and processed

11. Future Security Roadmap

11.1 Short-Term (Next 6 Months)

Penetration testing by third-party security firm
SOC 2 Type II certification process initiated
Advanced threat detection implementation
Security training expansion for all team members

11.2 Medium-Term (6-12 Months)

Bug bounty program launch
Security advisory board (external security experts)
Enhanced logging and forensics capabilities
Zero-trust architecture implementation

11.3 Long-Term (12+ Months)

ISO 27001 certification
End-to-end encryption for stored questions (user-controlled keys)
Security operations center (SOC) 24/7 monitoring
Advanced AI-powered threat detection

12. Questions and Contact

12.1 Security Inquiries

General Security Questions:
Email: security@questioncraft.ai
Subject: "Security Inquiry"

Vulnerability Reports:
Email: security@questioncraft.ai
Subject: "Security Vulnerability Report"
Please do NOT disclose vulnerabilities publicly before we address them.

12.2 Privacy and Compliance

Privacy Questions:
Email: privacy@questioncraft.ai

Compliance/DPA Requests (Enterprise):
Email: legal@questioncraft.ai
Subject: "Compliance Documentation Request"

12.3 Incident Reporting

Suspected Security Incident:
Email: security@questioncraft.ai
Subject: "URGENT - Security Incident"
For emergencies, we aim to respond within 1 hour.

Unauthorized Account Access:
Email: support@questioncraft.ai
Subject: "Account Security Issue"
Or use the "Report Suspicious Activity" link in your account

13. Related Resources

Security Documentation:

Status Page: https://status.questioncraft.ai
Security Advisories: https://questioncraft.ai/security/advisories
Security FAQs: https://questioncraft.ai/security/faq

Legal Documents:

Terms of Service: https://questioncraft.ai/terms
Privacy Policy: https://questioncraft.ai/privacy
Acceptable Use Policy: https://questioncraft.ai/acceptable-use
Cookie Policy: https://questioncraft.ai/cookies

External Resources:

OWASP Top 10: https://owasp.org/www-project-top-ten/
NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
GDPR Information: https://gdpr.eu
CCPA Information: https://oag.ca.gov/privacy/ccpa

14. Acknowledgments

We are committed to continuous improvement of our security practices. This document will be updated regularly as we enhance our security posture, implement new controls, and respond to evolving threats.

Thank you for trusting QuestionCraft with your data. Security is a shared responsibility, and we appreciate your partnership in keeping our platform secure.

END OF SECURITY PRACTICES

Contact:

QuestionCraft LLC
Attn: Security Team
3 Fruit St Newburyport, MA 01950

Email:

Security: security@questioncraft.ai
Privacy: privacy@questioncraft.ai
Support: support@questioncraft.ai
Legal: legal@questioncraft.ai

Website: https://questioncraft.ai