Security & trust at Quaze.
A plain-English summary of how we protect your data, and an honest list of the frameworks we align with.
What we do, in plain English.
No jargon. No mystery. The same information your security team would ask for.
Email and password sign-in, federated sign-in with Google or Apple, and multi-factor authentication. SSO with your own identity provider is on the roadmap.
Your data is isolated from other customers, with strict access controls in place.
All data is encrypted in transit using modern TLS, and encrypted at rest in our datastores.
Secrets are never stored in source code. Access is least-privilege and logged.
Programmatic access uses bearer tokens you can create, list, and revoke. Tokens are stored securely and only shown once at creation.
Quaze is currently hosted in an EU-based cloud region. Multi-region support is on the roadmap.
Data retention is set by plan: 7 days on Free, 90 days on Starter, 1 year on Team, and 3 years on Enterprise. Enterprise customers can also export their audit log to keep their own copy.
Tenant data is backed up regularly with point-in-time recovery available within the retention window.
Who we rely on.
Quaze relies on a small set of trusted providers to deliver the service. We can share the detailed list and contractual terms with Enterprise customers under NDA.
- Cloud infrastructure provider Hosting, storage, and managed databases
- Payment processor Subscription billing and invoicing
- Transactional email provider Sign-in emails, notifications, scheduled reports
Frameworks we align with.
Quaze is an early-stage product, and we are not formally certified against SOC 2 or ISO 27001 yet. We build to the principles those frameworks expect, and document our practices clearly. If a formal attestation is a blocker for your team, talk to sales and we will be straight about where we are.
- SOC 2
We follow the operational practices SOC 2 expects (access control, change management, incident response). Not formally attested yet.
- ISO 27001
We work to the principles of ISO 27001 (information security management, risk treatment, policy enforcement). Not formally certified yet.
- EU CRA
Designed to support the operational obligations of the EU Cyber Resilience Act (vulnerability handling, SBOM packaging, evidence retention).
- GDPR data processing addendum
Available on request for Enterprise customers.
Found a security issue?
We take responsible disclosure seriously. If you've found a vulnerability in Quaze, please email security@quaze.io with details. We'll acknowledge within two business days.
Keep reading
- ComplianceRead more
Cyber Resilience Act
How Quaze supports the CRA vulnerability handling and reporting obligations.
- ProductRead more
Audit-ready evidence
Scheduled evidence packs and a searchable history of who changed what.
- LegalRead more
Privacy notice
What we collect, how we use it, and the cookies + analytics setup on quaze.io.
Need to dig deeper?
Enterprise customers get access to detailed security documentation, sub-processor terms, and a security questionnaire response under NDA.