Security
Last updated: May 2026
Quibo is security-first. This page summarizes our controls, our sub-processors, and how to report a vulnerability. For the full Privacy Policy see /privacy; for the DPA see /dpa.
Encryption
- TLS 1.3 in transit, HSTS preloaded with
max-age=63072000; includeSubDomains. - AES-256-GCM for connector credentials at rest, with rotated master keys.
- Postgres-managed bcrypt for password hashes.
Access control
- Postgres row-level security on every table, gated by a JWT-injected
org_idclaim. - Service-role keys only used server-side, never exposed to the browser.
- 2FA TOTP available for all users; required on Business plan owners.
- Account lockout after 10 failed login attempts within 30 minutes.
Application hardening
- Nonce-based Content-Security-Policy with
strict-dynamic. - X-Frame-Options DENY · X-Content-Type-Options nosniff · Referrer-Policy strict-origin · Permissions-Policy minimal.
- Outbound URL whitelist with DNS resolution check (anti-SSRF).
- Rate limits on auth, signup, generation, and API endpoints (Upstash sliding window).
- Stripe and Inngest webhooks verified by signature on every request.
- OWASP Top 10 mitigations reviewed quarterly.
Audit + logging
- Append-only audit log for logins, site connections, role changes, deletions.
- Sentry error monitoring with PII scrubbing.
- Backups: Supabase daily, 30-day rolling retention, restores tested quarterly.
Sub-processors
We process data through the following providers under DPA + SCC where applicable:
| Provider | Purpose | Region | Safeguard |
|---|---|---|---|
| Supabase | Database + Auth | EU (Frankfurt) | DPA · EU hosting |
| Vercel | Application hosting | Multi-region | DPA · SCC |
| Anthropic | LLM (article generation) | US | DPA · SCC |
| Exa | Web research / SERP | US | DPA · SCC |
| DataForSEO | Keyword volume + KD | US | DPA · SCC |
| Firecrawl | Brand-profile crawling | US | DPA · SCC |
| fal.ai | Image generation | US | DPA · SCC |
| Stripe | Payments | US | DPA · SCC · PCI-DSS |
| Inngest | Job orchestration | US | DPA · SCC |
| Sentry | Error monitoring | EU option | DPA · PII scrubbing |
| Upstash | Rate limiting (Redis) | EU option | DPA |
Vulnerability disclosure
We welcome reports from security researchers. Email security@quibo.cc with details and a proof of concept. We will acknowledge within 48 hours and aim to resolve critical issues within 7 days. Responsible disclosure is rewarded; see our security.txt.
Incident response
On confirmation of a personal-data breach, we notify the relevant supervisory authority within 72 hours (GDPR Art. 33). Affected users are notified directly when the breach poses a high risk to their rights and freedoms (Art. 34).