Security

QWIC Security Policy
This page explains how we protect the data of our customers and their users on the QWIC platform. The controls below are designed to be clear and auditable, and cover cloud architecture, encryption, access control, secure development, backup, incident response, and vendor management.
Last updated: 2025-09-24

1) Executive Summary
Protecting customer data is a top priority.
All communications are encrypted, and sensitive data is stored with strong encryption.
Access to systems is based on the principle of "minimum necessary permissions."
We have backups, disaster recovery plans, and incident response procedures in place.
We comply with the General Data Protection Regulation (GDPR) and the privacy practices described in our Privacy Policy.

2) Cloud infrastructure and reliability
Hosting on a certified cloud provider (multi-region data centers, high availability, automatic backups).
Isolate development/test/production environments from each other.
Use containers and managed services to reduce the risk surface and facilitate security updates.
Continuous performance and health monitoring and Service Level Assessment (SLA) status tracking.

3) Encryption and key management
In transit: TLS 1.2+ with secure handshakes and 128-bit minimum encryption strength, 256-bit preferred.
At rest: AES-256 encryption of data in databases, backups, and storage snapshots.
Key management: Using a cloud provider's KMS, with periodic key rotation and access restricted with audit logs.

4) Authentication and access control

SSO/SAML/OIDC optional for enterprise customers.

2FA/MFA for QWIC team accounts and customer administrative accounts.

Role-based authorizations (RBAC) with the principle of “least authority.”

Automatic disabling of inactive sessions, login attempt limits, and CAPTCHA when suspected.

5) Network and application security
WAF and firewalls, known blacklisting, and rate-limiting.
DDoS protection via cloud provider and/or content delivery network (CDN).
Strict input filtering against: SQLi, XSS, CSRF, SSRF, RCE.
Use browser security headers: HSTS, X-Content-Type-Options, X-Frame-Options, CSP.
Logically separate customer data (tenant isolation).

6) Secure Development Lifecycle (SSDLC)
Mandatory code reviews and automated SAST/DAST checks.
Regular security updates for libraries and system packages (Dependabot/Similar).
Automated build/deployment (CI/CD) environment with container image signing and verification.
Pen-tests are conducted periodically by a third party; their results are processed by official vulnerability management.

7) Vulnerability and Patch Management

Periodic automated scanning for vulnerabilities in the architecture and software dependencies.

CVSS classification and treatment prioritization based on severity.

Maintenance windows announced for critical updates.

Responsible Disclosure Program – See “Report a Vulnerability.”

8) Audit and monitoring records
Log login attempts, sensitive changes, administrative operations, and security events.
Maintain records in accordance with our data retention policy, with protection from tampering.
Instant alerts for indicators of compromise (IoC) or unusual behavior.

9) Backup and Disaster Recovery

Daily/multi-point backups with encryption and replication across different regions.

Periodic restore drills to ensure the integrity of copies.

Targets: RPO ≤ 24 hours, RTO ≤ 4 hours (customizable in corporate contracts).

10) Incident Response (IR)
A designated response team with documented procedures: identify, contain, eradicate, recover, and lessons learned.
Notify the customer of incidents affecting his data within a reasonable time frame and in accordance with the requirements of the contract and the law.

11) Privacy and Compliance

Data processing in accordance with our Privacy Policy and Data Processing Agreement (DPA) upon request.

Support individual rights (access, correction, deletion) through support channels.

Data Minimization.

Geolocation/retention capabilities of data as per customer agreement.

12) Third-party integrations and APIs

When connecting with channels like WhatsApp/Instagram/Facebook or CRMs (Salesforce/HubSpot/Zoho…):
We adhere to the security and privacy policies of those services.
Access keys and tokens are stored encrypted, with periodic renewal and limited permissions.
We do not use third party data outside the agreed service purpose.

13) Client roles and responsibilities

Enable MFA/SSO for your team accounts.

Manage and periodically review roles for users, and revoke access for those who leave the team.

Set retention periods and privacy policies within your control panel.

Maintain integrity secrets (Tokens/Webhooks) and change them when suspected.

14) Data Retention and Deletion
Data retention according to customer settings or contract.
Secure deletion upon termination of the relationship or upon authenticated request, with backups deleted upon expiration of the legal/technical retention period.
Ability to export data in a standard format before deletion.

15) Report a vulnerability (Responsible Disclosure)
If you discover a vulnerability, send details to security@qwic.ai along with reproducibility steps and potential impact.
Do not exploit the vulnerability or access data that is not yours.
We will confirm receipt within 72 hours and provide you with an initial priority estimate and processing plan.
PGP encryption can be provided for sensitive messages (public key sent upon request).

16) Certifications and Standards (Roadmap)
Working with ISO/IEC 27001 and SOC 2 (Type 1/2) practices as a roadmap, sharing third party reports when available under a Non-Disclosure Agreement (NDA).
Annual security audits by an independent party, and continuous updates of the security policy.

17) Quick FAQs
Is chat data encrypted? Yes, during transmission and storage.
Does QWIC have access to my customers' content? Only when necessary and for support/maintenance purposes, with restricted permissions and audit logs.
Can I choose a data storage location? Available to enterprise customers subject to contract and regional availability.
How long do we keep backups for? By default, 30–90 days (customizable).

18) Contact us about security
For general support: support@qwic.ai
Website: https://qwic.ai

Legal Notice: This policy is part of QWIC's security commitments, but it is not an absolute guarantee against all risks. Any additional commitments or special service rates are specified in the contract or service level agreement (SLA) signed with the customer.