Skip to main content

Security Overview

Security is foundational to QuivaWorks’ architecture. This guide provides an overview of platform security and helps you navigate our security documentation.

Quick Security Setup

New to QuivaWorks? Complete these essential security steps:
1

Enable MFA

Set up multi-factor authentication immediately after creating your accountSet up MFA →
2

Save Recovery Codes

Store your recovery codes in a password manager or secure locationAbout recovery codes →
3

Review Sessions

Check your active login sessions and terminate any you don’t recognizeManage sessions →
4

Secure API Keys

If using the API, follow best practices for key managementAPI security guide →

Platform Security

Compliance & Certifications

ISO 27001

Information security management system certified

SOC 2 Type II

Coming soon - Independent audit of security controls

GDPR Compliant

Full compliance with EU data protection regulations

PCI DSS

Payment card data security for billing
HIPAA compliance is available on Enterprise plans only. Contact us if you need to process protected health information.

Data Protection

Encryption

At Rest: AES-256 encryption for all stored dataIn Transit: TLS 1.3 for all communications

Data Residency

Choose where your data is processed: EU, US, or AustraliaConfigure regions →

Data Isolation

Multi-tenant architecture with logical separation between accounts

Redundancy

Minimum 3 servers per account with continuous replication

Account Security Features

Authentication & Access Control

Multi-Factor Authentication

Protect your account with passkeys or authenticator appsSetup required for Admin/Root users

Session Management

Monitor and control active logins across all devices24-hour automatic timeout

API Keys

Secure programmatic access with managed keys3-month automatic expiration

Role-Based Access

Control permissions with 5 predefined rolesApply least privilege principle

Security Notifications

You’ll receive automatic email alerts for important security events:
  • Password changes
  • Email address change requests
  • New passkeys or MFA devices added
  • Recovery codes viewed
  • New users added to your account
If you receive a notification for an action you didn’t perform, follow our Incident Response Guide immediately.

Security Best Practices

Essential Security Measures

  • Use a strong, unique password (12+ characters)
  • Enable MFA immediately after account creation
  • Store recovery codes in a password manager
  • Review active sessions monthly
  • Keep your browser and OS updated
Detailed user security guide →
  • Require MFA for all users (especially Admin/Root)
  • Apply least privilege when assigning roles
  • Conduct monthly security audits
  • Implement proper offboarding procedures
  • Provide regular security training
User management guide →
  • Never hardcode API keys in source code
  • Use environment variables or secret managers
  • Rotate API keys every 3 months
  • Implement proper error handling
  • Always use HTTPS for API calls
API security best practices →

If Something Goes Wrong

Incident Response

Suspect a security breach? Follow our step-by-step incident response guide to secure your account and minimize damage.Common indicators:
  • Unfamiliar login locations
  • Unexpected account changes
  • Suspicious resource activity
  • Unusual billing charges

Privacy & Data Handling

What We Collect

We collect only what’s necessary to provide our service:
  • Account information (email, name, company details)
  • Usage information (login activity, API usage, resource modifications)
  • Billing information (processed by Stripe)
We never:
  • Sell your data to third parties
  • Use your data to train AI models
  • Share data between accounts
  • Access your data without permission

Your Rights Under GDPR

Right to Access

Request a copy of your personal data

Right to Rectification

Update your information in account settings

Right to Erasure

Delete your account and all dataClose account →

Right to Portability

Export your data via buckets
Contact [email protected] to exercise your rights.

Vulnerability Reporting

We appreciate responsible disclosure of security vulnerabilities.
If you discover a security issue:
  1. Do not publicly disclose or exploit the vulnerability
  2. Email [email protected] with:
    • Detailed description and steps to reproduce
    • Potential impact assessment
    • Your contact information
  3. Allow reasonable time for us to address the issue
Our commitment:
  • Acknowledge reports within 48 hours
  • Provide regular updates on remediation
  • Address critical vulnerabilities within 24 hours
  • Credit researchers after deployment (if desired)

Security Resources

Authentication Guide

Set up MFA, passkeys, and manage passwords

Session Management

Monitor and control active logins

API Key Security

Best practices for programmatic access

Incident Response

What to do if your account is compromised

User Management

Control team access and permissions

Privacy Policy

Complete privacy policy and data practices

Security Checklist

Quick reference for maintaining account security:

Initial Setup

  • Enable MFA (passkey or authenticator app)
  • Save recovery codes securely
  • Configure account regions for compliance
  • Set up strong, unique password

Monthly

  • Review all active sessions
  • Audit active API keys
  • Check for unused user accounts
  • Verify billing activity

Quarterly

  • Review user roles and permissions
  • Rotate API keys
  • Update security documentation
  • Conduct team security training

As Needed

  • Follow offboarding procedures for departing users
  • Investigate security notification emails
  • Review incident response plan
  • Update emergency contact information

Getting Help

Security Issues

[email protected]Vulnerabilities and incidents

General Support

Account and technical support