Legal

Security

Last updated 27 May 2026

A summary of how we protect the data flowing through QuoteBox — the platform, the trader’s account, and the customer-facing quotes and invoices.

In transit

Every page and API call is served over HTTPS with TLS 1.2 or higher. The site is configured with HSTS preloaded, so browsers refuse to fall back to plaintext even on the first visit. Permissions-Policy headers turn off browser features we don’t use (geolocation, camera, etc.) to reduce the blast radius of any cross-site scripting issue.

At rest

  • Database storage is encrypted at the disk level using AES-256, managed by Supabase (our database provider).
  • Uploaded files (logos, generated PDFs) are stored in Supabase Storage, also encrypted at rest.
  • Backups are encrypted and held in the EU.

Isolation

Every table that holds trader or customer data is protected by row-level security policies. A signed-in trader can only read or modify rows belonging to their own profile; customer-facing pages authenticate via an unguessable per-quote and per-invoice token, never a shared URL.

Authentication

  • Passwords are hashed with bcrypt by our authentication provider; we never see or store plaintext passwords.
  • Session cookies are HttpOnly, Secure, and SameSite=Lax to prevent JavaScript or third-party-site access.
  • We support passwordless email magic links and standard password-reset flows.

Payments

  • QuoteBox subscription payments are processed by Stripe. Card details are entered directly into Stripe’s hosted checkout — we never see card numbers, CVVs, or expiry dates.
  • Customer payments to a trader are processed via Stripe Connect, going directly into the trader’s own Stripe balance. QuoteBox is not in the money flow, never holds client funds, and so is not operating as a payment institution under FCA rules.

AI provider data handling

Voice transcription uses the OpenAI API (Whisper) and quote-text structuring uses Anthropic’s API (Claude). Both APIs are used in their non-training mode — data you submit to QuoteBox is not used to train these providers’ models. Raw audio is processed in memory and discarded once a transcript is returned.

Secrets and access control

  • Server-side secrets (database service-role key, Stripe secret key, AI keys, Resend key) are stored as environment variables on Vercel and are never exposed to the browser.
  • Only essentially-necessary variables (the project URL and the public anonymous key) are made available to the browser, and those values are designed to be public.
  • Internal access to the production system is limited and uses individual accounts; we never share credentials.

Audit logs

Every quote status change (sent, viewed, accepted, declined, paid, marked-overdue) is recorded as an immutable audit event tied to the quote, with the actor (trader or customer), channel, and timestamp. Same for invoices. This history is visible on the quote and invoice detail pages.

Backups and recovery

Supabase manages daily automated backups of the database with 7-day point-in-time recovery. Backups are encrypted and retained in the EU.

Responsible disclosure

If you believe you’ve found a security issue with QuoteBox, please email security@quotebox.uk with the details before disclosing publicly. We’ll acknowledge within two working days and keep you updated while we investigate.