Security & Privacy

Your context is yours. Here is exactly how we protect it.

Encrypted in transit

All data travels over TLS 1.2+. No plaintext ever leaves your device.

Isolated by design

Your context is bound to your account. No other user or Quint employee can read your facts.

You own your data

Export or delete everything, anytime. No lock-in.

What We Store

What IS stored

  • Facts and context you explicitly write
  • Your account email
  • Usage metadata for billing
  • OAuth tokens (stored encrypted)

What we do NOT store

  • Conversation transcripts
  • Raw message content from AI sessions
  • API keys or credentials (stripped before storing)
  • Payment card details (Stripe handles this)

How We Protect It

Encryption

  • HTTPS/TLS enforced at infrastructure level
  • API keys encrypted at rest using AES-128 (Fernet)
  • Facts encrypted at rest using AES-128 (Fernet). Content is unreadable without an active authenticated session.
  • Authentication tokens are signed JWTs (HS256) with 365-day expiry

Access Control

  • Bearer-only authentication — no tokens in URLs
  • Tokens scoped to a single principal
  • Admin access requires separate high-entropy secret
  • OAuth authorization codes stored in database, not memory, and expire after use

Isolation

  • Every fact tagged with your principal_id at write time
  • No cross-principal queries possible through the API
  • Session states have 4-hour TTL and auto-evict
  • No employee access: fact content is encrypted at rest. Quint employees can view account metadata (email, billing status, usage counts) but cannot read your stored context.

Infrastructure

  • Hosted on Railway (SOC 2 compliant)
  • CDN via Fastly with TLS termination at edge
  • No third-party analytics on API endpoints

Credential Stripping

When your AI writes context to Quint, we scan the content for common credential patterns — API keys, Bearer tokens, private keys — and strip them before storing. This protects you if an AI accidentally tries to save a sensitive credential as a memory.

Your Rights

Export Download all your facts as JSON from your dashboard at any time.
Delete Delete individual facts or your entire account. Deletion is immediate and permanent.
Portability Your export is standard JSON. Re-importable anywhere that supports the Quint MCP spec.

Contact

Found a vulnerability? Email security@getquint.ai — we respond within 24 hours.