Security Practices

Last updated: April 13, 2026

1. Data Encryption

In transit: All data between your browser and QkFill is encrypted via TLS 1.2+ (HTTPS). API calls between our services use HMAC-signed requests for authentication.

At rest: All data stored in our database (Supabase/PostgreSQL on AWS) is encrypted using AES-256 at rest. File uploads in Supabase Storage are similarly encrypted.

2. Access Control (RBAC)

QkFill uses role-based access control with 5 distinct roles:

  • Super Admin: Platform-wide administration
  • Org Admin: Organization management, billing, team
  • Org Agent: Template creation, profile management, form filling
  • Org Applicant: Own application and profile only
  • B2C User: Individual use without organization

Every API route enforces permissions at the application level using requirePermission(). There are no anonymous API endpoints that access user data.

3. Organization Isolation

Each organization's data is completely isolated from other organizations using PostgreSQL Row-Level Security (RLS). This is enforced at the database level — even if application code has a bug, one organization cannot access another's data.

RLS policies use organization-scoped helper functions to ensure every query is automatically filtered to the authenticated user's organization.

4. Infrastructure

  • Database: Supabase (PostgreSQL on AWS) — Pro tier with daily automated backups, 7-day retention
  • Frontend: Vercel — edge network, automatic HTTPS, DDoS protection
  • Backend API: Railway — containerized Python FastAPI service
  • Payments: Stripe — PCI DSS Level 1 compliant. We never store credit card numbers.
  • Error Tracking: Sentry — captures application errors without PII

5. AI Provider Security

Document processing uses Azure Document Intelligence and Google Gemini. These providers:

  • Process data only for the purpose of extraction — no training on your data
  • Do not retain uploaded documents after processing
  • Are covered by enterprise-grade data processing agreements

All API calls to AI providers use authenticated, encrypted connections.

6. Audit Trails

All administrative actions (user management, role changes, organization settings) are logged in an audit trail with timestamps, acting user, and change details. Status changes on applications and documents are tracked in a dedicated status history table.

7. Responsible Disclosure

If you discover a security vulnerability in QkFill, please report it responsibly:

  • Email: support@qkfill.com with subject "Security Vulnerability"
  • Include: description of the vulnerability, steps to reproduce, potential impact
  • We will acknowledge receipt within 48 hours and provide a resolution timeline

Please do not publicly disclose vulnerabilities until we have addressed them.

8. Data Processing Agreement

We provide a standard Data Processing Agreement (DPA) for organizations that require one. The DPA covers data processing scope, sub-processors, breach notification, and data deletion.

Download our DPA (PDF)

9. Contact

Security questions? Contact us at support@qkfill.com or visit our contact page.