Security & compliance

Transport#

All production API traffic must use HTTPS. Do not send API keys over unencrypted channels.

Key storage#

• Store keys in a secrets manager or deployment environment — never in git.
• Rotate keys on a schedule and after personnel changes.
• Browser sandbox keys are public-by-design; use read-only pilot scopes.

Responsible disclosure#

Report security issues to founders@qtangl.com. We will acknowledge receipt within two business days during the pilot.

Compliance roadmap#

SOC 2 readiness and formal data processing agreements are planned for production tenants. Pilot deployments should not process regulated PHI without a signed agreement.