QuaneuronEmail us
Security

Security at Quaneuron

This page outlines our security practices and commitments. It is intentionally high-level and will evolve as the product matures. For security questions or to report a vulnerability, contact hello@quaneuron.com.

Last updated: February 22, 2026Security contact: hello@quaneuron.com

We reduce risk by collecting less

Quaneuron never stores your prompts or model outputs. We track cost, latency, errors, and patterns — not your data. Less sensitive data collected means less sensitive data to protect.

We protect: operational metricsWe protect: workspace accessWe do NOT store: promptsWe do NOT store: completionsWe do NOT store: raw content

1) Security philosophy

Quaneuron is built around a simple principle: the best way to protect sensitive data is to avoid collecting it in the first place.

We do not capture prompts, completions, or raw content. We only collect operational metadata — cost, tokens, latency, errors, timestamps, and labels. This means our attack surface for sensitive data exposure is minimal by design.

Beyond that, we apply standard security practices appropriate for a SaaS product: least privilege access, defense in depth, workspace isolation, and transparency about what we do and do not do.

2) What we protect

The data Quaneuron stores and protects includes:

  • Operational event metadata (cost estimates, token counts, latency, errors, timestamps, labels, model/provider identifiers)
  • Account and workspace information (name, email, team configuration)
  • Authentication credentials and access control data
  • Billing and payment records (payment processing is handled by Stripe — we do not store full card numbers)
  • API keys used to ingest events into Quaneuron

We do not store prompts, model outputs, raw documents, or any content processed by your AI features.

3) Access control and isolation

  • Workspace isolation: all data is scoped to a workspace. Users can only access data in workspaces they belong to.
  • Role-based permissions: workspace members have roles (owner, admin, member, viewer) that control what they can see and do.
  • Authentication: access requires a verified account. We use Supabase Auth for session management.
  • API key scoping: ingest API keys are scoped to individual projects. A compromised key cannot access other projects or account data.
  • Internal access: production data access is restricted to what is operationally necessary. Internal access is logged.

4) Data protection

  • Encryption in transit: all traffic between your systems and Quaneuron is encrypted via TLS.
  • Encryption at rest: data is stored in encrypted databases (Supabase / PostgreSQL with encryption at rest enabled).
  • Auditability: key security events and access changes are logged.
  • Data minimization: we collect only what is needed to provide the Service. We do not retain data longer than necessary.

5) Infrastructure and operations

  • Hosting: Quaneuron runs on managed cloud infrastructure (Vercel for application, Supabase for database). Both providers maintain their own security certifications and controls.
  • Environment separation: development, staging, and production environments are separated.
  • Dependency management: we monitor for and apply security updates to our dependencies on a regular basis.
  • Secrets management: credentials and API keys are stored as environment secrets, not in source code.

6) Incident response

If we become aware of a security incident that affects your data, we will notify affected customers promptly and provide details about what happened, what data was involved, and what we are doing to address it.

To report a vulnerability or suspected security issue, email hello@quaneuron.com with a description and, if applicable, steps to reproduce. Please avoid including sensitive or personal data in your report.

We take all reports seriously and will respond promptly. We ask that you give us reasonable time to investigate before public disclosure.

7) Third-party providers

Quaneuron relies on a small number of trusted infrastructure and service providers:

  • Supabase: database, authentication, and storage
  • Vercel: application hosting and edge functions
  • Stripe: payment processing
  • Resend: transactional email

Each provider is selected for their security posture and data handling practices. We share only the data necessary for them to provide their services.

8) Customer responsibilities

Customers are responsible for:

  • Keeping their login credentials and API keys secure
  • Controlling who is added to their workspace and what permissions they have
  • Rotating API keys if they are suspected to be compromised
  • Notifying us promptly if they believe unauthorized access has occurred

API keys can be rotated at any time from the Settings page. Compromised keys should be rotated immediately.

9) Compliance and roadmap

Quaneuron began its SOC 2 readiness program in November 2025 and has been tracking security controls and gathering evidence since then. We intend to complete a formal SOC 2 Type II audit as the product matures.

If you have specific compliance requirements (e.g. a security questionnaire, DPA, or BAA), contact us at hello@quaneuron.com and we will work with you directly.

10) Changes to this policy

We may update this page as our practices evolve or as we achieve new security milestones. We will update the "Last updated" date when changes are made.

For significant changes, we will communicate directly with customers where relevant.

11) Contact

Security questions or reports? hello@quaneuron.com.