Security

Security at PostQ

We build security infrastructure — so our own security practices must be exemplary. Here’s how we protect your data and systems.

Infrastructure Security

Encryption in Transit

All connections to PostQ are encrypted with TLS 1.3. We enforce HTTPS everywhere and support post-quantum key exchange (X25519Kyber768) where available.

Encryption at Rest

All data is encrypted at rest using AES-256. Database backups and file storage are encrypted with keys managed through dedicated key management infrastructure.

Network Isolation

Production systems run in isolated network segments with strict firewall rules. Internal services communicate over private networks and are not exposed to the public internet.

Application Security

Authentication

We support email/password authentication and OAuth (Google, GitHub). All passwords are hashed with bcrypt. Sessions are managed with short-lived tokens and automatic expiration.

Authorization

Row-level security (RLS) policies enforce data isolation between organizations. Role-based access control (owner, admin, member, viewer) governs what actions users can perform within each organization.

API Security

API keys are hashed before storage. All API endpoints enforce authentication and rate limiting. Input validation prevents injection attacks. CORS policies restrict cross-origin access to authorized domains.

Data Handling

Scan Data Isolation

Scan results are scoped to your organization and are never shared with other users or organizations. We do not use customer data to train models or for any purpose beyond providing the Service.

Data Residency

PostQ infrastructure is hosted in the United States. Enterprise customers can request specific data residency configurations.

Data Deletion

You can delete scan results, assets, and policies at any time. Account deletion removes all personal data within 30 days. Backups are purged on a rolling 90-day schedule.

Development Practices

  • All code changes go through peer review before merging
  • Dependencies are automatically scanned for known vulnerabilities
  • Secrets are never committed to version control — managed via environment variables and vault systems
  • We follow the principle of least privilege for all system access
  • Production deployments are automated with immutable infrastructure

Standards & Compliance

FIPS 203–205
NIST Post-Quantum Standards
TLS 1.3
Enforced for all connections
AES-256
Encryption at rest
RLS
Row-level data isolation

Reporting a Vulnerability

If you discover a security vulnerability in PostQ, please report it responsibly. Email info@postq.dev with a description of the issue. We will acknowledge receipt within 24 hours and aim to resolve critical issues within 72 hours.

We do not pursue legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices.

Questions about our security?

Reach out to our security team for questions, reports, or enterprise compliance documentation.

Contact Security TeamContact Us