Security

Defense in depth,
by design.

Quoining is built from the ground up to protect your financial data. We employ defense-in-depth across every layer — encryption, infrastructure, access controls, and monitoring.

Last updated: May 20, 2026

SOC 2 Type II

In development

GAAP-aligned

Active

CCPA / CPRA

Honored

AES-256-GCM

Enforced

TLS 1.2+

Enforced

Primary US hosting

us-east-1

Controls

Layered by design.

Encryption

  • TLS 1.2 or higher enforced for all data in transit; HTTPS redirect at the load balancer
  • AES-256 encryption at rest for the production PostgreSQL database (AWS RDS) and document storage (AWS S3)
  • AES-256-GCM application-layer field encryption with primary/previous key support for designated sensitive fields, including third-party integration credentials, Plaid access tokens, API keys, and customer-provided tax identification numbers
  • Database credentials rotated automatically on a 90-day schedule via AWS Secrets Manager
  • Encryption keys validated at application startup — production will not start with a missing or invalid ENCRYPTION_KEY

Infrastructure

  • Core application hosting and the primary customer database run in AWS us-east-1 in the United States. Optional integrations that a customer enables may process limited data outside the United States, as listed on the Sub-processors page.
  • PostgreSQL 16 on Amazon RDS with automated daily backups and point-in-time recovery
  • ECS Fargate containers — no shared hosts, no SSH access
  • AWS Web Application Firewall in front of the application load balancer with OWASP managed rules, SQL injection detection, and per-IP rate limiting
  • AWS GuardDuty for continuous threat detection
  • NAT gateway for private-subnet egress — application servers are not directly reachable from the public internet
  • Amazon ElastiCache Redis with at-rest and in-transit encryption for session and rate-limit state
  • Amazon S3 document storage with AES-256 server-side encryption and public access blocked
  • AWS CloudTrail API audit logging

Access Controls

  • Role-based access control with four tiers: Admin, Member, Viewer, Workplace Associate
  • Dual-Control Mode — assign drafter and approver roles so designated general-ledger actions require two-person sign-off
  • Per-entity access scoping — non-admin users only see entities they are explicitly assigned to within a company
  • Permission-gated server actions — every data operation checks authentication, company scope, and feature permissions
  • SAML SSO available, with JIT provisioning, domain verification, and optional enforcement
  • Two-factor authentication (email OTP and TOTP) available for all users
  • Internal admin portal hardened with mandatory 2FA, IP allowlist, 4-hour absolute session maximum, and 15-minute inactivity timeout
  • Rate limiting on authentication endpoints; fail-closed rate limiter on destructive admin operations
  • All sessions invalidated on password change

Audit Trail

  • Immutable application audit log — database triggers prevent UPDATE and DELETE on audit rows
  • Every mutation logged with actor identity (denormalized name and email), IP address, user agent, timestamp, and a description of the change
  • Monotonic sequence numbers for gap detection
  • Automatic updatedAt triggers on mutable tables
  • Audit trail survives company deletion: customer-scoped data is removed but audit rows are retained with personal identifiers redacted, for forensic and SOC integrity

Tenant Isolation

  • Application-layer tenancy enforcement: every server-side data path in the core financial modules calls an authentication and company-scope guard before any query runs
  • Static contract tests in CI gate every server action in the core modules and every admin-portal action against the auth/scope pattern; non-conforming code blocks the build
  • Cross-tenant integration tests in CI seed two companies and assert that one company's authenticated session cannot read or mutate the other's records
  • A database-layer enforcement plane (Postgres row-level security) is on the roadmap as additional defense in depth and is not in production today
  • Soft deletes for customers, vendors, and GL accounts — data preserved for audit and recovery
  • Full self-service data export available at any time (JSON)

Integration Security

  • Third-party OAuth and access tokens (Plaid, Ramp, Gusto, Shopify, Bill.com, Square, Stripe Connect) encrypted at the application layer with AES-256-GCM before database storage
  • Webhook endpoints verify signatures before processing (HMAC for Stripe, Ramp, Shopify, and other supported providers)
  • Stripe webhook events are deduplicated to prevent double-processing on retries
  • Integration credentials are scoped per connection — each company's tokens are isolated
  • Sandbox and production credentials are supported per integration connection

Application Security

  • User input validated with Zod schemas at the server-action boundary
  • All database queries parameterized via Drizzle ORM
  • The few sql.raw() call sites use whitelist validation against known table and column names
  • Content Security Policy and CSRF protection enforced
  • Rate limiting on AI endpoints, public API routes, authentication, and sync operations
  • Required environment variables and secrets validated at startup — production will not boot with missing or invalid configuration
  • Container image scanning (Trivy, CRITICAL/HIGH) in CI
  • Secret-leak detection in CI — blocks committed .env files and common API-key patterns

Business Continuity

  • Automated daily database backups with point-in-time recovery; backups encrypted at rest
  • Pre-deployment database snapshot taken automatically before each production deploy
  • ECS deployment circuit breaker auto-rolls back the application on health-check failure
  • Post-deploy health checks verify web and admin services are responding before traffic shifts complete
  • Database migrations run as a blocking pre-deploy step — deployment halts if migration fails
  • Infrastructure managed as code (Terraform) for reproducibility

Compliance Posture

  • GAAP-aligned accounting engine with double-entry enforcement at the database layer (CHECK constraints and deferred trigger)
  • California Consumer Privacy Act / California Privacy Rights Act — consumer rights honored as described in our Privacy Policy
  • Other US state consumer-privacy laws (Virginia, Colorado, Connecticut, Delaware) — see the Privacy Policy
  • Data Processing Agreement available at /dpa for business customers
  • Password rotation enforced (180-day expiry)
  • IP and user agent captured in audit events for forensic analysis
  • SOC 2 Type II report is not currently available. SOC 2 readiness work is in progress; we will publish the report when an independent audit is complete

Vulnerability Disclosure

If you discover a security vulnerability in Quoining, please report it responsibly. We take all reports seriously and will respond within one business day.

Email: security@quoining.com

Please do not disclose vulnerabilities publicly until we have had a chance to investigate and address them. We do not pursue legal action against researchers acting in good faith.

Trust, documented.

Review our legal and operational documentation for details on data handling, retention, and processing.

Privacy Policy·Terms of Service·Data Processing Agreement·Data Retention