QUIXME← Back

Security

Security Practices

How we protect your data and ensure platform integrity

Authentication & Access Control

QuixMe uses industry-standard authentication through NextAuth v5, supporting OAuth providers (Google and GitHub). We never store raw passwords. All authentication tokens are securely managed with HTTP-only cookies and short expiration windows.

  • OAuth 2.0 authentication (Google, GitHub)
  • Session tokens with automatic expiration and rotation
  • HTTP-only, secure, same-site cookies

Data Encryption

  • In Transit: All data is encrypted using TLS 1.3 (HTTPS enforced across all endpoints)
  • At Rest: Database and file storage use AES-256 encryption provided by Supabase's infrastructure
  • API Keys: All secrets are stored in environment variables, never committed to source control

Database Security

We use Supabase PostgreSQL with Row Level Security (RLS) policies enabled on all tables. This means:

  • Users can only access their own data — enforced at the database level
  • Even if application code has a bug, the database prevents unauthorized cross-user data access
  • All database queries are parameterized to prevent SQL injection
  • Regular automated backups with point-in-time recovery

AI Processing Security

When your content is processed by AI:

  • Content is sent to Google's Gemini API over encrypted connections
  • Google's API does not use your content to train their models (per their API terms)
  • We do not store raw API request/response payloads — only metadata (token counts, duration)
  • AI usage is tracked for billing but content is not logged

Payment Security

All payment processing is handled by Lemon Squeezy, a PCI-compliant payment processor. We never store credit card numbers, CVVs, or other payment card data on our servers. Webhook payloads from Lemon Squeezy are validated using HMAC signatures to prevent tampering.

Infrastructure

  • Hosting: Vercel (Next.js) with automatic DDoS protection and edge caching
  • Database: Supabase managed PostgreSQL with automated backups
  • Storage: Supabase Storage with access control policies
  • Monitoring: Sentry for error tracking (no personal content is captured)

Vulnerability Reporting

If you discover a security vulnerability, please report it responsibly by emailing security@quixme.com. We take all reports seriously and will respond within 48 hours. Please do not publicly disclose vulnerabilities before we have had a chance to address them.

Incident Response

In the event of a data breach, we will notify affected users within 72 hours, investigate the scope and impact, take immediate remediation steps, and provide a post-incident report. We maintain incident response procedures and conduct regular reviews.

Terms of ServicePrivacy Policy