Security

Last updated: January 2, 2026

Our Commitment to Security

Security is at the core of Qovr. We implement industry-standard security practices to protect your data and ensure the integrity of our testing platform.

Infrastructure Security

Hosting and Deployment

  • Web Application: Hosted on Vercel with automatic HTTPS, DDoS protection, and edge caching
  • Test Runner: Deployed on Fly.io with isolated containers and automatic scaling
  • Database: PostgreSQL with encryption at rest and in transit
  • Storage: Cloudflare R2 or AWS S3 with server-side encryption

Network Security

  • All traffic encrypted with TLS 1.3
  • HTTPS enforced on all endpoints
  • Security headers (X-Frame-Options, CSP, etc.)
  • Rate limiting on API endpoints

Runner Security

Execution Environment

  • Token Authentication: Runner endpoints require X-RUNNER-TOKEN header
  • Timing-Safe Comparison: Token validation uses constant-time comparison to prevent timing attacks
  • Containerization: Runner executes in isolated Docker containers
  • Non-Root Execution: Containers run as non-root user for principle of least privilege

Authentication and Access Control

User Authentication

  • Secure password hashing with bcrypt
  • OAuth 2.0 support (GitHub, Google)
  • Session-based authentication with NextAuth
  • Automatic session expiration
  • Password reset with time-limited tokens

Role-Based Access Control (RBAC)

Fine-grained access control with four permission levels:

  • Owner: Full control over projects and billing
  • Admin: Manage team members and project settings
  • Member: Create and edit journeys, run tests
  • Viewer: Read-only access to results

All API routes enforce authentication and authorization before processing requests.

Data Protection

Encryption

  • In Transit: TLS 1.3 for all connections
  • At Rest: Database encryption enabled by default
  • Passwords: Bcrypt hashing with salt
  • Secrets: Environment variables, never in code

Data Isolation

  • Projects and data isolated by user/team
  • Database queries filtered by ownership
  • Test execution in isolated containers
  • No cross-tenant data access

Data Retention

  • Test results retained according to your plan
  • Screenshots stored securely in object storage
  • Audit logs maintained for compliance
  • Data permanently deleted after account closure (30-90 day grace period)

Payment Security

  • All payments processed by Stripe (PCI DSS Level 1 certified)
  • We never store credit card numbers
  • Webhook signature verification for all payment events
  • Secure redirect to Stripe checkout

Application Security

Vulnerability Prevention

  • SQL Injection: Prevented by Prisma ORM parameterized queries
  • XSS: Prevented by React automatic escaping
  • CSRF: Protected by SameSite cookies and token verification
  • Clickjacking: X-Frame-Options: DENY header
  • MIME Sniffing: X-Content-Type-Options: nosniff

Input Validation

  • Zod schema validation on all API inputs
  • Type-safe TypeScript throughout
  • Sanitization of user-generated content
  • Rate limiting to prevent abuse

Dependency Management

  • Regular dependency updates
  • Automated security scanning
  • NPM audit run in CI/CD
  • Minimal dependency footprint

Monitoring and Incident Response

Logging and Monitoring

  • Structured logging for all security events
  • Failed authentication attempt tracking
  • Audit logs for sensitive operations
  • Real-time error tracking

Incident Response

In the event of a security incident:

  • Immediate investigation and containment
  • Affected users notified within 72 hours
  • Transparent post-incident report
  • Remediation and prevention measures

Compliance

Privacy Regulations

  • GDPR: Data protection for EU users
  • CCPA: Privacy rights for California residents
  • SOC 2: Working towards certification

Best Practices

  • OWASP Top 10 mitigation
  • Principle of least privilege
  • Defense in depth strategy
  • Regular security assessments

Audit Logs

We maintain comprehensive audit logs for:

  • User authentication events
  • Project and journey modifications
  • Team member changes
  • Permission updates
  • Test executions
  • Data exports and deletions

Audit logs are retained for compliance purposes and available to project owners.

Responsible Disclosure

Report a Vulnerability

If you discover a security vulnerability, please report it responsibly:

  • Email: security@qovr.app
  • Include detailed description and reproduction steps
  • Allow reasonable time for response (typically 48-72 hours)
  • Do not publicly disclose until we've addressed it

Bug Bounty

We appreciate security researchers who help us maintain a secure platform. We plan to launch a bug bounty program in the future to reward responsible disclosures.

Third-Party Security

Our trusted service providers:

  • Vercel: SOC 2 Type II certified hosting
  • Fly.io: Infrastructure provider with container isolation
  • Stripe: PCI DSS Level 1 payment processing
  • AWS/Cloudflare: Enterprise-grade storage

All third-party providers are vetted for security compliance and undergo regular audits.

User Responsibilities

Help us maintain security by:

  • Using strong, unique passwords
  • Enabling two-factor authentication (when available)
  • Not sharing account credentials
  • Reporting suspicious activity immediately
  • Keeping your contact information up to date
  • Only testing websites you have authorization to test

Security Updates

We continuously improve our security posture through:

  • Regular security audits and penetration testing
  • Automated vulnerability scanning
  • Prompt patching of security issues
  • Security training for our team
  • Staying current with emerging threats

Questions?

For security-related questions or concerns, contact us at:

Security is a Journey, Not a Destination

We continuously update our security measures to protect your data. This page reflects our current security practices and will be updated as we enhance our platform.