Security & data handling

Cloud Quire runs on Supabase (managed PostgreSQL on AWS) and is served via Vercel. Your reports and findings are stored in Postgres and encrypted at rest by the underlying infrastructure. You can request a specific data region (UK / EU) for residency and GDPR alignment.

Every row of data is protected by row-level security. The database itself enforces that you can only ever read or write records you own — not application logic that could be bypassed, but a hard constraint at the data layer. One customer can never see another's findings.

We believe in being honest with people who break things for a living. In the cloud product, your findings are stored in a database that Quire operates. That means encryption-at-rest and strict access control protect you against other users, lost hardware, and casual access — but a determined compromise of Quire's own infrastructure, or a malicious operator, could in principle read stored data. This is true of every cloud reporting tool, whether they say so or not.

If your engagement cannot tolerate that risk — classified work, air-gapped networks, or contracts that forbid third-party cloud — you should not use cloud Quire for it. Use the local instance instead (below). We would rather lose the sale than have your client data somewhere it shouldn't be.

Quire can run as a self-hosted instance entirely inside your own network, gated by a license key. No telemetry, no phone-home, no external calls — your client data never touches our infrastructure or anyone else's. Same product, your perimeter. This is the right choice for SECRET-and-above engagements and any client whose contract prohibits external storage.

Interested? hello@quire.report.

Billing is processed by Stripe. Card details go directly to Stripe via their hosted checkout — Quire never sees, stores, or transmits your card number. We hold only a Stripe customer reference and your subscription status.

You can delete any report or finding at any time; deletion is permanent. You can export your entire findings library and any report (PDF / DOCX / JSON) whenever you like — your data is never held hostage. Account deletion removes your reports, findings, and profile. Configurable auto-purge-after-export is on the roadmap.

We use a small, deliberate set of infrastructure providers:

• Supabase — database, authentication (data storage)
• Vercel — application hosting
• Stripe — payment processing

A Data Processing Agreement (DPA) is available on request for firms that need one for their own client contracts — request a DPA.

We're evaluating client-side end-to-end encryption as a future zero-knowledge tier — findings encrypted in your browser with a key only you hold, so even a full compromise of Quire would yield nothing readable. It carries real trade-offs (no server-side search, export, or AI on encrypted data) so we're designing it carefully rather than shipping it half-built.

If you find a security issue in Quire, please report it to security@quire.report. We commit to acknowledging reports within 72 hours, working with you on a fix, and crediting you (with your consent). Please don't test against other users' data — reach out and we'll set you up with a scoped environment. Built by pentesters; we'll treat your report the way we'd want ours treated.