Security

Your playbooks, calls, and roleplays are scoped to your account. We never use one customer’s content to train or improve outputs for another customer. Tenant data is logically isolated in our application and database layers.

Data in transit is protected with TLS 1.2 or higher. Data at rest, including call recordings and transcripts, is encrypted using AES-256. Encryption keys are managed by our cloud provider’s key management service with restricted access.

Administrative access to production systems requires multi-factor authentication and is limited to the smallest group needed to operate the platform. We follow least-privilege principles, review access regularly, and revoke it promptly when no longer needed.

We run automated static and dynamic analysis on every change to the platform, scan dependencies for known vulnerabilities, and require code review before merging. Critical findings are prioritized and remediated under defined SLAs.

The platform runs on reputable cloud providers in SOC 2 attested data centers. We segment networks, restrict ingress with firewalls, and continuously monitor production for anomalous activity.

We have a documented incident response plan covering detection, containment, investigation, recovery, and post-incident review. If a confirmed security incident affects your data, we will notify you without undue delay and, where required by law, within 72 hours.

Production data is backed up on a regular cadence and tested for restoreability. Our platform is built to recover from common cloud-provider failures without data loss.

We assess the security posture of subprocessors before granting them access to customer data and review them on an ongoing basis. A list of subprocessors is available on request.

If you believe you’ve found a security issue in our product or website, please report it to us through LinkedIn. We acknowledge reports within two business days and will work with you on remediation. Please give us a reasonable window before public disclosure.

Quddify is pre-launch and our compliance program is actively maturing. We are working toward SOC 2 Type II attestation and we design our controls to meet GDPR, UK GDPR, and U.S. state privacy law expectations.