Built for businesses that take data seriously

Architecture & Tenant Isolation

Each ConfigQuote workspace runs on a dedicated, isolated database. There is no shared data store between accounts — your products, pricing rules, customer details, and quote history are physically separate from every other tenant on the platform.

• Dedicated database per workspace — no row-level multi-tenancy, no shared tables
• API requests are always scoped to the authenticated tenant — cross-tenant data access is impossible at the application layer
• Hosted on isolated managed infrastructure — no noisy-neighbour resource contention on Enterprise plans

Encryption

Data is protected at every layer — whether it is moving between your browser and our servers, or stored on disk.

• In transit: TLS 1.2 or higher enforced on all connections; HTTP requests are redirected to HTTPS
• At rest: AES-256 disk encryption on all database volumes
• Credentials: All sensitive integration credentials (API keys, SMTP passwords) are encrypted before being stored — never persisted in plaintext

Authentication

Access to the admin panel requires a verified account. Authentication is designed to resist brute-force and credential-stuffing attacks.

• Password-based login with bcrypt hashing and rate-limited login attempts
• SSO / SAML 2.0 available on Enterprise plans for central identity provider control
• Sessions are invalidated on logout and expire automatically after inactivity
• All admin actions are performed over authenticated, tenant-scoped sessions

API Security

The ConfigQuote API is used by WooCommerce, Shopify, and Botble integrations to sync products and submit quote requests. All API access is token-authenticated and tenant-scoped.

• Bearer token authentication on all API endpoints — no anonymous access to configuration or quote data
• Every API token is bound to a single tenant — tokens cannot be used to access data from any other workspace
• Rate limiting applied to all public-facing endpoints to prevent abuse
• Webhook payloads from eCommerce platforms are validated before processing

Payment Security

Billing for ConfigQuote subscriptions is handled entirely by Stripe, a PCI DSS Level 1 certified payment processor. ConfigQuote never receives, processes, or stores card numbers, CVV codes, or full PANs.

• Card entry happens directly in Stripe's hosted checkout — your card data never touches our servers
• ConfigQuote is outside PCI scope for cardholder data
• Stripe webhook signatures are verified on every event to prevent forged payment notifications

Backups & Availability

ConfigQuote runs on managed cloud infrastructure with automated backups and monitoring. Your data is not at risk from a single point of failure.

• Automated daily database backups with point-in-time restore capability
• Infrastructure monitored 24/7 with automated alerting and rapid incident response
• Application deployed behind a load-balanced, containerised environment for resilience
• Dependency and security updates are applied on a regular cadence — critical patches are expedited

Responsible Disclosure

If you discover a security vulnerability in ConfigQuote, please report it to us directly and responsibly. We will acknowledge your report within 2 business days and work with you to resolve the issue.

Contact: security@configquote.com

Please do not disclose vulnerabilities publicly until we have had reasonable time to address them.