Trust Center

Trust, privacy, and AI data handling.

Public security and privacy information for customers, OAuth reviews, app marketplace reviews, and security teams evaluating Quickly.

Data collection, use, retention, and rights

Customer responsibilities and AI terms

Security

Encryption, access, audit, and infrastructure

Security Review

Questionnaires, DPA, and architecture calls

Trust posture

Quickly handles customer data to operate the workflows customers configure. We avoid broad claims and document the controls that matter for an AI assistant with tool access.

No model training

Customer Data is not used to train foundation models
Google, Microsoft, Slack, SMS, voice, and integration data is used only to provide configured features
Prompts, outputs, retrieved context, and tool results are processed only to provide, secure, and monitor the Service

Data encryption

OAuth tokens and customer-managed credentials are encrypted at rest
Application data is isolated by workspace and protected by workspace membership checks
Production secrets are managed through Google Cloud Secret Manager and deployment-time configuration

Enterprise access controls

Admins configure users, roles, integrations, approval gates, and AI autonomy modes
Integrations can be disconnected from the Quickly dashboard or the provider account
Tool calls, workflow runs, admin actions, errors, and approvals are logged for audit and support

Transparency

Security, privacy, platform data handling, and subprocessor information are published here
Security questionnaires, DPAs, and architecture walkthroughs are available for business reviews
Workspace deletion and privacy requests can be initiated through product controls or support@askquickly.ai

Platform data handling

These disclosures are written for the integrations and app reviews teams commonly ask about.

Google Workspace

Gmail, Calendar, Drive, and related Google API data is used only for user-facing features you authorize and is handled under Google API Services User Data Policy Limited Use commitments.

Microsoft 365 and Teams

Microsoft Graph and Teams data is used only for authorized workspace, mail, calendar, file, identity, and chat features. It is not sold, used for advertising, or used to train foundation models.

Slack

Slack workspace, channel, user, message, thread, and file data is used to respond in configured Slack surfaces and maintain the context needed for requested actions.

SMS and voice

SMS and voice data is used to route, transcribe, summarize, respond to, and follow up on communications that customers configure. Customers are responsible for recipient consent and opt-out compliance.

Subprocessors

The providers below may process customer data to help us operate, secure, and support the Service. Third-party integrations you authorize may also receive data at your direction.

Provider

Purpose

Data categories

Google Cloud Platform

Hosting, databases, storage, queues, logging, secrets, and infrastructure

Application data, files, logs, secrets, metadata

Google Cloud Vertex AI

AI inference, embeddings, and model routing. Claude, Gemini, and Grok (xAI) models are accessed through Google Vertex AI.

Prompts, outputs, retrieved context, tool results, embeddings

Stripe

Billing, subscriptions, invoices, payments, and tax-related billing records

Billing contact, plan, invoice, payment, and usage metadata

Upstash

Rate limiting, abuse throttling, OAuth state, and short-lived operational coordination

Ephemeral request metadata (IP-derived identifiers, workspace/user IDs, counters, nonces) — no message or document content

Resend

Transactional email from Quickly to account holders (verification, invites, notifications)

Recipient email address and service email content; no customer workspace data

Compliance status

We maintain SOC 2 compliant controls and a SOC 2 audit is planned.

SOC 2

SOC 2 compliant controls are implemented; independent audit planned

GDPR

DPA, subprocessors, and privacy rights workflow available for business customers

DPA

Available on request for business customers

Privacy rights process

Access, correction, deletion, portability, and opt-out requests handled through support@askquickly.ai

Security review

Questionnaires and architecture walkthroughs available through the contact form

Controls

Quickly Security Overview

Quickly's security program is designed and operated to align with the AICPA SOC 2 Trust Services Criteria. We implement SOC 2-aligned controls today and continuously harden them.

Control domain

SOC 2

How Quickly addresses it

Access control & authentication

CC6

SSO / OAuth sign-in (no stored passwords); role-based workspace access; least-privilege, keyless cloud service identities (workload-identity federation and attached service accounts — long-lived exported keys eliminated).

Encryption & key management

CC6.1 / CC6.7

TLS in transit; AES-256-GCM at rest — workspace-scoped data uses a per-workspace key envelope with rotation, and account-level secrets use a managed master key; secrets managed in Google Cloud Secret Manager.

Tenant isolation

CC6

Every data query is scoped to the customer workspace and enforced in code by an automated check; retrieval/RAG data is workspace-filtered.

Secure development (SDLC)

CC7.1 / CC8

Peer-reviewed changes; CI security gates — static analysis (SAST), dependency scanning, and secret scanning; the application production image deploy is additionally blocked on fixable critical/high container vulnerabilities.

Logging & audit

CC7.2

Centralized logging with an audit trail of authentication, access, and administrative events; automated PII redaction in logs.

Infrastructure & network

CC6.6

Runs on Google Cloud (SOC 2 / ISO 27001-certified infrastructure); private VPC networking; managed PostgreSQL with no public IP.

Resilience & recovery

Automated encrypted backups with point-in-time recovery; regional high-availability primary database; health-gated blue/green deploys — a candidate revision must pass health checks before receiving production traffic.

Data privacy

Privacy / C1

Customer data is not used to train foundation models; DPA and a published subprocessor list are available; access, correction, deletion, and portability requests are supported.

Vendor & subprocessor management

CC9

Subprocessors are documented publicly (see Subprocessors above), with the data-handling purpose recorded for each provider.

Need more detail?

We can complete security questionnaires, provide a DPA where applicable, and walk your team through Quickly's architecture.

Request a security review Technical security details