Security at QEEK

QEEK runs on industry-standard cloud infrastructure with clear separation between services:

• Backend services on Google Cloud Platform (Firebase, Cloud Functions, Cloud Run, Firestore, Cloud Storage, Realtime Database, Cloud KMS, Secret Manager)
• Web application (my.qeek.ai) hosted on Vercel
• Marketing site (qeek.ai) hosted on Vercel
• Primary data region: us-central1 (Google Cloud)
• DNS managed via Cloudflare

• User authentication via Firebase Auth (email/password and supported OAuth providers)
• New user registration is invite-only — sign-up requires a valid beta or team invitation
• Multi-factor authentication (TOTP) available in account settings and for step-up on sensitive admin actions
• Role-based access control enforced in Cloud Functions, Firestore, and Cloud Storage security rules
• Workspace-scoped data isolation — users can only access accounts they belong to
• Admin operations require verified admin role and MFA verification; privileged actions are audit-logged
• Long-lived API tokens scoped to accounts with hashed storage and revocation support

Your source code is valuable intellectual property. Our default architecture minimizes retention:

• We do not permanently store full source code files by default — we process code from GitHub to create embeddings and analysis
• Truncated code previews and AST-level metadata are stored for semantic search and documentation features
• AI features that need live code access it from GitHub in real time rather than from a long-term code mirror
• When repository sync is enabled, synced files are stored in isolated Cloud Storage paths with optional encryption at rest
• You can delete your account and associated data at any time

We use a combination of preventive controls and automated testing:

• Firebase App Check enforced on client access to Authentication, Firestore, Realtime Database, and Cloud Functions
• Input validation and prompt sanitization for AI/agent workflows
• Firestore and Cloud Storage security rules reviewed and tightened on an ongoing basis
• Rate limiting, CORS restrictions, and security headers on backend and web application services
• Static analysis (CodeQL, Semgrep with baseline gates) and security-focused dependency scanning (Dependabot) in CI across application repositories
• Passive dynamic scanning (OWASP ZAP baseline) against production and staging web surfaces
• Regular internal security assessments with findings tracked in a remediation backlog
• STRIDE threat modeling for core surfaces (auth, IDE/MCP integration, agent runtime)

QEEK relies on the following categories of third-party services to operate:

• Google Cloud Platform / Firebase — compute, database, storage, secrets, and authentication
• Vercel — frontend and marketing site hosting
• GitHub — repository access and webhook delivery
• Stripe — payment processing (Stripe handles card data; QEEK does not store payment card numbers)
• Resend — transactional email
• Sentry — error monitoring
• LLM providers (e.g., Google Gemini, OpenAI, xAI) — AI analysis and generation, subject to your configured features

QEEK is working towards SOC 2 Type 2 certification. We do not currently hold ISO 27001, HIPAA, PCI, or FedRAMP certifications.

• Privacy Policy published at qeek.ai/privacy
• CCPA and GDPR-aligned data practices described in our Privacy Policy
• Payment card data handled by Stripe (PCI-compliant processor)
• Formal compliance reports available upon request as our certification program matures