QuillreachJoin waitlist

Security & trust

Security you can verify. Not just claim.

How Quillreach protects your data, your LinkedIn accounts, and your customers' contact information. With specifics, not slogans.

In one sentence

Quillreach protects every workspace with row-level access controls inside the database itself, encryption in transit and at rest, and automated security checks gating every code change. We never store your LinkedIn password, and we don't use your inbox to train AI models.

Workspace isolation, enforced at the database

Every table that holds user data (campaigns, leads, conversations, settings, audit logs) has row-level access policies that scope reads and writes to members of the owning workspace. The check runs inside the database itself, not just in application code. A bug in our app layer can't override it; a leaked database key can't override it. This is the defense-in-depth posture we wanted, so we paid the up-front cost of writing the policies.

Encryption everywhere it matters

Traffic between you and Quillreach is served over TLS. Database storage is encrypted at rest with industry-standard encryption, and backups inherit the same encryption. Production secrets live in an encrypted vault scoped per environment, so preview and production never share credentials.

Your LinkedIn account, never your password

Quillreach connects to LinkedIn without ever storing your password. You authenticate once through a secure flow, and we keep a token scoped to your account that you can revoke at any time. We don't see, store, or transmit your LinkedIn password, and we never replay your LinkedIn cookies into a browser extension.

Authentication you control

Sign in with email or Google. Sessions are stored in secure cookies that rotate on a rolling basis, and you can revoke any session from your account in a single click. Every authentication event (sign-in, password change, new device) is recorded in your recent-activity panel so you can spot anything that wasn't you.

Every code change reviewed before it ships

Every change to Quillreach passes through automated security checks (secret scanning, the full test suite, a required security checklist) before it can be merged. Production releases never bypass review. The discipline shows up where it matters: bugs that get caught at review never become incidents your account sees.

Common questions

Where is our data stored?
Quillreach runs on industry-standard managed infrastructure with SOC 2 Type II certified providers. We can confirm specific region details on request, useful for buyers running data-residency reviews.
Are you SOC 2 or ISO 27001 certified?
Not yet. Quillreach is a one-founder company, and the audit cost only makes sense once revenue supports it. In the meantime we follow the practices those audits check for: encrypted storage, row-level access control, secret rotation, automated secret scanning in CI, peer-reviewed pull requests, and authentication-event logging. If your procurement process strictly requires SOC 2, we'd rather tell you up front than waste your time.
Can we sign a Data Processing Agreement (DPA)?
Yes. Email security@quillreach.com for our standard DPA. It includes the full list of sub-processors, the data we process on your behalf, and how we'll notify you of changes. We can also sign your DPA if it's reasonable.
Do you use our inbox or campaign data to train AI?
No. The AI features in Quillreach (personalization drafts, reply suggestions) run against your data on a per-request basis. Nothing from your inbox, leads, or campaigns is used to train models. Our model providers are configured for no-training data handling. We don't opt you in to their improvement programs.
How do I report a security issue?
Email security@quillreach.com. We aim to acknowledge within one business day. We don't yet operate a formal bug bounty, but we credit responsible disclosures publicly with the reporter's consent, and we'll respond regardless of bounty.
Has Quillreach had a security incident?
No incidents to disclose at the time of writing. If that ever changes, we'll post it on our public status page and email affected workspaces directly. Incident transparency is one of the things our DPA commits us to.

Questions we didn't answer?

Email security@quillreach.com. Real founder, real reply, usually within a business day.

Join waitlistSee pricing