Security

Platform Security

Hosting & Availability

• High-availability, multi-region edge delivery
• Automatic DDoS protection at the network edge
• Security patches applied on a regular cadence

Data Storage

• Encrypted databases with strict access controls
• Automated backups with point-in-time recovery
• Access logging for sensitive operations

Application Security

Authentication & Authorization

• OAuth-based sign-in (Google) with secure session cookies
• Password hashing with industry-standard algorithms where passwords are used
• Role-based access control for multi-user plans
• Scoped, hashed API keys for programmatic access

Data Protection

• TLS 1.3 for all connections
• Encryption at rest for stored data
• Rate limiting on public endpoints to mitigate abuse

Operational Practices

Access Controls

• Minimal-access principle for internal systems
• Audit logs for administrative actions

Monitoring

• Continuous infrastructure and application monitoring
• Automated alerting on anomalous activity

Privacy & Compliance

QRZY is built to respect user privacy:

• GDPR-aligned data handling and aggregated analytics (see our GDPR page)
• CCPA-aligned rights for California residents
• Payments handled by our payment provider — we do not store card details on our servers

Formal certifications (e.g. SOC 2, ISO 27001) are not currently held. We'll announce them here when they are in place.

Reporting Security Issues