QuoteForge is built on the principle that your part geometry and customer data are yours alone. Here is a plain-language overview of how we protect them.
QuoteForge's application and API controls are aligned with the OWASP Top 10 and the CASA (Cloud Application Security Assessment) Tier 2 control families: OAuth 2.0 security, access control, input validation, secrets management, and logging. We do not currently hold a formal CASA Tier 2 attestation; these controls are our internal security baseline.
We do not use your STEP files, quotes, or customer data to train any AI or machine-learning model — ours or anyone else's.
The pricing engine is fully deterministic. It reads your shop configuration (machines, materials, feeds & speeds) and applies arithmetic. No model is trained, no data leaves your tenant in aggregate form.
For features that use an LLM (such as DFM commentary generation), only the extracted geometry metadata — not the raw STEP binary — is sent to the LLM API call. Geometry metadata contains no IP about how the part will be used. The LLM is instructed not to log or retain request content.
Every database query is automatically scoped to your tenant_id at the ORM level. There is no route by which one customer can read another customer's quotes, STEP files, shop configuration, or contact data. Cross-tenant access is a structural impossibility, not just a policy.
All traffic between your browser and our servers is encrypted in transit using TLS 1.2+. Connections to sub-services (storage, database, LLM APIs) are also TLS-only.
Data at rest — STEP files, quote PDFs, customer records — is encrypted at the storage layer by Azure (AES-256).
Payment data is handled exclusively by Stripe. We never see, store, or transmit raw card numbers. Stripe is PCI DSS Level 1 certified.
The production database is backed up daily with a 30-day retention window. Backups are stored in a separate Azure region.
STEP files and generated PDFs are stored in Azure Blob Storage with geo-redundant replication.
Under GDPR you have the right to request export or deletion of all data associated with your account. Send a request to [email protected] and we will action it within 30 days.
If you discover a security issue, please disclose it responsibly by emailing [email protected].