DataquoteDataQuote
Sign UpSign In
Security & Compliance

Your financial data deserves
bank-grade protection.

DataQuote handles invoices, payroll, tax records, and bank accounts. We built security into every layer — from field-level encryption to role-based access control — so your data stays yours.

Data Encryption

  • AES-256-GCM encryption for SIN, SSN, and sensitive financial identifiers
  • Random initialization vectors (IV) and authentication tags per encrypted field
  • TLS 1.2+ encryption for all data in transit
  • PostgreSQL encryption at rest on cloud infrastructure
  • Bank account numbers, tax IDs, and personal identifiers masked in all API responses — only last 4 digits visible

Authentication & Access Control

  • Email-based OTP (one-time password) verification on every login
  • Trusted device support — skip OTP on verified devices for 30 days
  • Brute-force lockout — 5 failed OTP attempts locks the session
  • Strict rate limiting — 10 auth attempts per 15-minute window
  • JWT tokens with configurable expiration
  • Role-based access: admin, accountant, HR, and user roles
  • Organization-level data isolation — users can only access orgs they belong to

Audit Logging

  • Every create, update, and delete action is logged
  • Audit trail includes user ID, timestamp, IP address, and change details
  • Immutable audit logs for compliance and forensic review
  • Admin-accessible audit log viewer in Settings

Infrastructure Security

  • Hosted on Supabase (AWS-backed cloud infrastructure)
  • Helmet.js security headers on all responses
  • CORS restrictions — only authorized domains
  • Global API rate limiting (200 req/15min) plus stricter limits on auth endpoints
  • Input validation on all financial data endpoints (amounts, dates, IDs)
  • File upload whitelist — only approved document types accepted
  • Path traversal protection on file operations

Privacy & Data Isolation

  • Multi-tenant architecture with strict per-organization data boundaries
  • No cross-tenant data access — every query is scoped to the authenticated org
  • Sensitive fields (SIN, bank accounts, tax IDs) never appear in server logs
  • Encrypted SIN stored separately from display value (last 4 digits only)
  • Health endpoints sanitized — no deployment info exposed

Compliance Roadmap

We're working toward formal certifications to give you even more confidence.

In Progress

SOC 2 Type II

Pending

CRA EFILE Certification

Planned

Penetration Testing

Questions about security?

Reach out to our team. We're happy to discuss our security practices in detail.

Contact UsStart Free Trial