Last updated: 2026-01-01
TeleCetli Kft. operates a comprehensive information security programme covering the QuoteForge platform. Our controls are aligned with the OWASP Top 10 and the CASA (Cloud Application Security Assessment) Tier 2 control families covering application security, API security, and cloud configuration. We are currently working toward SOC 2 Type I readiness.
All communication between clients and the QuoteForge service uses TLS 1.2 or higher. We enforce HTTPS-only access; HTTP requests are redirected to HTTPS. Internal service-to-service communication within the Azure Container Apps environment uses mTLS where supported.
Data at rest — including STEP files, quote data, and database content — is encrypted using AES-256 via Azure-managed encryption. STEP files are stored in Azure Blob Storage with server-side encryption enabled. The PostgreSQL database uses Azure-managed transparent data encryption.
Encryption keys are managed via Azure Key Vault with CSI Driver integration. Application secrets (API keys, connection strings) are stored in Azure Key Vault and injected into containers at runtime — they are never stored in source code or container images.
All end-user authentication is handled by Keycloak (hosted at auth.gridex.ai), which supports OIDC/OAuth 2.0 flows. Passwords are hashed using PBKDF2-HMAC-SHA512 (Keycloak's default credential algorithm); we never see or store plaintext passwords.
Within the QuoteForge application, access to tenant data is enforced via application-level RBAC. Users can only access data belonging to their own tenant; cross-tenant queries are prevented at the EF Core query filter level (see Tenant Isolation below).
Employee access to production systems requires a Keycloak account with enforced MFA and approval from a second team member. All administrative actions are logged.
We follow the principle of least privilege: each service account and employee role has only the permissions necessary for its specific function. Privilege escalation requires explicit approval.
QuoteForge is a multi-tenant SaaS application. Tenant isolation is implemented at the database level using EF Core global query filters: every query against tenant-scoped tables (quotes, customers, STEP files, cost lines, etc.) is automatically filtered by the authenticated user's tenant_id. This filter is applied by the ApplicationDbContext and cannot be bypassed by application code. There is no technical mechanism by which one tenant can access another tenant's data. Tenant isolation is verified in our annual penetration testing scope.
We conduct due diligence on all sub-processors who handle customer data:
Azure Database for PostgreSQL Flexible Server is configured with automated daily backups retained for 30 days. Point-in-time restore is available within the retention window. Our current recovery objectives are: Recovery Point Objective (RPO) of 24 hours, Recovery Time Objective (RTO) of 8 hours. STEP file storage in Azure Blob uses geo-redundant storage (GRS) for durability. These objectives are reviewed annually and updated as the service matures.
We maintain a documented incident response plan. All suspected security incidents are assessed, triaged, and — where required — reported to affected customers and to the NAIH within 72 hours as required by GDPR Article 33. For full details, see our Incident Response Policy at /legal/incident-response. Incident Response
We welcome responsible disclosure of security vulnerabilities. Researchers who identify a vulnerability in quoteforge.gridex.ai should report it to [email protected] with the subject prefix [VULN]. We commit to acknowledging reports within 5 business days and to triaging within 10 business days. For full details, see our Vulnerability Disclosure Policy at /legal/vulnerability-disclosure. Vulnerability Disclosure
To report a security vulnerability or raise a security concern, please email [email protected]. For urgent incidents, include 'URGENT' in the email subject. We do not accept security reports via social media or issue trackers.