Security

Last updated: April 1, 2026

Security is a daily discipline, not a checklist. Here's how we protect merchant accounts, shopper data, and the infrastructure that powers Quoli.

On this page13 sections
  1. 01Our security principles
  2. 02Infrastructure
  3. 03Encryption
  4. 04Access controls
  5. 05Data isolation
  6. 06Monitoring and logging
  7. 07Incident response
  8. 08Vulnerability management
  9. 09People and training
  10. 10Vendor security
  11. 11Compliance and audits
  12. 12Shopify Protected Data
  13. 13Report a vulnerability

Effective date: April 1, 2026

Document version: 2.0

Read together with our Privacy Policy and GDPR Compliance page (which includes the current sub-processors list). Report a security issue at support@quoli.io.

1. Our security principles

Three principles guide every architectural and operational decision we make:

  • Least privilege: systems, services, and people only have the access they need to do their job, and no more.
  • Defense in depth: multiple independent layers of control so that no single failure exposes data.
  • Transparency: when something goes wrong we tell you quickly, clearly, and with the information you need to act.

2. Infrastructure

Quoli runs on Amazon Web Services (AWS) in the US-East-1 and EU-West-1 regions. We use managed services (RDS for relational data, S3 for object storage, Lambda for compute, CloudFront for CDN) so we inherit the underlying physical security, network isolation, and hardware lifecycle management that AWS provides.

All production systems are isolated in private subnets, accessible only via bastion hosts that require multi-factor authentication. There are no public IPs on databases or application servers. Edge traffic terminates at Cloudflare and AWS CloudFront, which provide DDoS protection, web application firewall (WAF) rules, and rate limiting.

3. Encryption

  • In transit: all traffic between shoppers, merchants, and Quoli is encrypted using TLS 1.2 or higher. Internal service-to-service traffic uses mutual TLS.
  • At rest: all databases, object storage (review photos and videos), and backups are encrypted with AES-256 using keys managed in AWS KMS.
  • Secrets: API keys, OAuth tokens, and other credentials are stored in AWS Secrets Manager and rotated on a documented schedule. Secrets are never written to logs or source code.

4. Access controls

Access to production systems is granted only to engineers who need it for their role and only with multi-factor authentication. We use role-based access control (RBAC) with quarterly access reviews. All production console access is logged and monitored.

Merchant accounts use Shopify OAuth for authentication. Quoli does not store merchant Shopify passwords. Team member invitations support email verification and role assignment (Owner, Admin, Editor, Viewer) so you can grant the minimum necessary access to staff and partners.

5. Data isolation

Each merchant's data is logically isolated using a tenant identifier present on every database row, S3 prefix, and API call. Authorization is enforced at the application layer on every read and write. Cross-tenant access is impossible by design; we do not rely on user input or query construction to enforce tenancy.

Backups are encrypted and stored in a separate AWS account from production, with restricted access. Backup restores are tested at least quarterly.

6. Monitoring and logging

All application servers, API endpoints, and admin consoles emit structured logs that flow into a centralized log store with 90 days of online retention and 1 year of cold storage. Security-relevant events (authentication, authorization, configuration changes, data exports) are forwarded to a SIEM with automated alerting on suspicious patterns.

We monitor for unusual access patterns, failed authentication attempts, privilege escalation, and data exfiltration. Alerts route to an on-call engineer 24/7.

7. Incident response

We have a written incident response plan that defines roles, severity levels, escalation paths, and communication protocols. The plan is reviewed annually and exercised through tabletop drills.

If an incident affects your data, we will notify you within 72 hours of discovery, in accordance with GDPR Article 33 and equivalent obligations under other applicable laws. The notification will describe the nature of the incident, what data was involved, what we are doing to remediate, and recommended steps you can take.

8. Vulnerability management

  • Dependency scanning: automated daily scans for known CVEs in third-party libraries. Critical patches deploy within 24 hours; high-severity within 7 days.
  • Static analysis: every pull request is scanned for security issues before merge.
  • Dynamic application security testing: production endpoints are scanned weekly.
  • Penetration testing: third-party penetration tests are performed at least annually. Findings are tracked to remediation with documented timelines.
  • Bug bounty: see our responsible disclosure policy below.

9. People and training

Every Quoli employee completes security and privacy training during onboarding and annually thereafter. Engineers complete additional training on secure coding, OWASP Top 10, and our specific architecture controls. Background checks are performed on all employees, subject to local law.

10. Vendor security

We assess every vendor that processes Quoli or merchant data before onboarding, including SOC 2 reports, security questionnaires, and contractual data protection terms. Our current sub-processor list is published on our GDPR & DPA page and we provide 30 days' notice before adding a new sub-processor that processes personal data.

11. Compliance and audits

Quoli is built to align with industry-standard frameworks including:

  • SOC 2 Type II: annual audit covering Security, Availability, and Confidentiality. Report available under NDA on request.
  • GDPR: we operate as a data processor for shopper data and as a controller for merchant data. See our GDPR & DPA page.
  • CCPA: we comply with the California Consumer Privacy Act and California Privacy Rights Act. We do not sell personal data.
  • PIPEDA, LGPD, PDPA: we maintain compliance with applicable privacy laws in Canada, Brazil, and Singapore for merchants operating in those regions.

12. Shopify Protected Customer Data

Quoli is approved by Shopify to process Protected Customer Data, including Level 2 Customer Personal Data (name, email, phone, address). We comply with Shopify's Protected Customer Data requirements including data minimization, customer privacy controls, opt-out flows, and a documented retention schedule.

13. Report a vulnerability

Found a security issue in Quoli? We want to know about it. Email support@quoli.io with the subject line "Security report" and include:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce.
  • Any relevant screenshots, logs, or proof-of-concept code.
  • Your contact information so we can follow up.

We commit to acknowledging your report within 2 business days and providing a remediation timeline within 7 business days. We do not take legal action against good-faith security researchers who follow responsible disclosure.