Security

Our Commitment to Security

Security is at the core of Qovr. We implement industry-standard security practices to protect your data and ensure the integrity of our testing platform.

Infrastructure Security

Hosting and Deployment

• Web Application: Hosted on Vercel with automatic HTTPS, DDoS protection, and edge caching
• Test Runner: Deployed on Fly.io with isolated containers and automatic scaling
• Database: PostgreSQL with encryption at rest and in transit
• Storage: Cloudflare R2 or AWS S3 with server-side encryption

Network Security

• All traffic encrypted with TLS 1.3
• HTTPS enforced on all endpoints
• Security headers (X-Frame-Options, CSP, etc.)
• Rate limiting on API endpoints

Runner Security

Execution Environment

• Token Authentication: Runner endpoints require X-RUNNER-TOKEN header
• Timing-Safe Comparison: Token validation uses constant-time comparison to prevent timing attacks
• Containerization: Runner executes in isolated Docker containers
• Non-Root Execution: Containers run as non-root user for principle of least privilege

Authentication and Access Control

User Authentication

• Secure password hashing with bcrypt
• OAuth 2.0 support (GitHub, Google)
• Session-based authentication with NextAuth
• Automatic session expiration
• Password reset with time-limited tokens

Role-Based Access Control (RBAC)

Fine-grained access control with four permission levels:

• Owner: Full control over projects and billing
• Admin: Manage team members and project settings
• Member: Create and edit journeys, run tests
• Viewer: Read-only access to results

Data Protection

Encryption

• In Transit: TLS 1.3 for all connections
• At Rest: Database encryption enabled by default
• Passwords: Bcrypt hashing with salt
• Secrets: Environment variables, never in code

Data Isolation

• Projects and data isolated by user/team
• Database queries filtered by ownership
• Test execution in isolated containers
• No cross-tenant data access

Payment Security

• All payments processed by Stripe (PCI DSS Level 1 certified)
• We never store credit card numbers
• Webhook signature verification for all payment events
• Secure redirect to Stripe checkout

Application Security

Vulnerability Prevention

• SQL Injection: Prevented by Prisma ORM parameterized queries
• XSS: Prevented by React automatic escaping
• CSRF: Protected by SameSite cookies and token verification
• Clickjacking: X-Frame-Options: DENY header
• MIME Sniffing: X-Content-Type-Options: nosniff

Input Validation

• Zod schema validation on all API inputs
• Type-safe TypeScript throughout
• Sanitization of user-generated content
• Rate limiting to prevent abuse

Responsible Disclosure

Report a Vulnerability

If you discover a security vulnerability, please report it responsibly:

• Email: security@qovr.app
• Include detailed description and reproduction steps
• Allow reasonable time for response (typically 48-72 hours)
• Do not publicly disclose until we've addressed it

Contact

For security-related questions or concerns, contact us at:

• Security: security@qovr.app
• Privacy: privacy@qovr.app
• Support: support@qovr.app