Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.qwoty.io/llms.txt

Use this file to discover all available pages before exploring further.

Security Practices

  • Code review: All code changes require review before merging
  • Dependency management: Dependencies are regularly updated and monitored for vulnerabilities
  • Static analysis: Automated security scanning is part of the CI/CD pipeline
  • Penetration testing: Regular vulnerability assessments and penetration tests are conducted
  • Role-based access: Teams support member, manager, and admin roles with distinct permissions
  • API token scoping: API tokens can be scoped to specific teams and set with expiration dates
  • Session management: Users can view and revoke active sessions
  • Audit logging: Document actions are logged with timestamps and IP addresses

Infrastructure Security

The Qwoty cloud service uses the following security measures:
LayerImplementation
HostingAWS infrastructure hosted in EU data centers (Ireland, Paris)
NetworkTLS 1.2+ for all connections
DatabaseManaged database with automated backups and geographic redundancy
StorageAES-256 encrypted object storage for documents
Monitoring24/7 infrastructure monitoring and alerting
UpdatesRegular security patches applied to all infrastructure

Data Encryption

All data transmitted to and from Qwoty is encrypted using TLS 1.2 or higher. This includes:
  • Web application traffic
  • API requests
  • Email delivery (when supported by the receiving server)
  • Webhook payloads
For Qwoty Cloud:
  • Database contents are encrypted at rest using AES-256
  • Document storage uses encrypted object storage
  • Backups are encrypted with geographic redundancy
  • Encryption keys are managed with regular key rotation

Authentication Security

Supported Authentication Methods

MethodDescription
Email and passwordTraditional authentication with hashed passwords
OAuth providersGoogle and Microsoft authentication
Team SSOSAML-based single sign-on for enterprise teams
Two-factor authenticationTOTP-based 2FA with recovery codes

Password Requirements

  • Minimum length enforced
  • Passwords are hashed using bcrypt before storage
  • Password reset tokens are time-limited and single-use

Session Security

  • Sessions can be viewed and revoked from account settings
  • Session tokens are rotated on authentication events
  • Idle sessions expire after a configurable period

Vulnerability Disclosure

Qwoty operates a responsible disclosure process for security vulnerabilities.
If you discover a security vulnerability, please report it by emailing:security@qwoty.ioInclude the following information:
  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any suggested fixes (optional)
StageTimeline
AcknowledgmentWithin 48 hours
Initial triageWithin 5 days
Status updateWithin 10 days
Resolution targetDepends on severity
  • Qwoty application code
  • Authentication and authorization flaws
  • Data exposure vulnerabilities
  • Injection vulnerabilities
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
We acknowledge security researchers who responsibly disclose vulnerabilities. With your permission, we will credit you when the fix is released.
Do not publicly disclose vulnerabilities until they have been addressed. Public disclosure of unpatched vulnerabilities puts users at risk.

Security Updates

Notification

Security updates are announced through:
  • The Qwoty changelog
  • Direct email notification to affected customers when relevant

Update Policy

  • Critical vulnerabilities are patched as quickly as possible
  • Release notes include all security-related changes

Contact

For security-related inquiries: