Security

QuickHitch runs on Vercel and Neon Postgres in US regions. Every tenant-owned database row carries an organization identifier, and every server query is scoped through that identifier so no cross-organization read is possible from application code.

Uploaded documents are stored in Vercel Blob with unguessable URLs that never leave our server. The application proxies all document reads through authenticated endpoints; raw blob URLs are never exposed to the browser.

All connections to QuickHitch use TLS 1.2 or higher. The database, blob storage, and background queue are encrypted at rest using AES-256. Secrets are stored in Vercel environment variables and Upstash, never in source control.

Engineering access to production is limited to named individuals with multi-factor authentication. Access is reviewed quarterly. Customer data is not accessed except for incident response or with explicit customer authorization.

When you ask the QuickHitch agent a question, the prompt and only the data needed to answer it are sent to our model provider (Anthropic). We have a data processing agreement in place with our provider; your data is not used to train shared models.

We monitor production for errors and unusual access patterns. In the event of a security incident that affects customer data, we will notify affected organizations within 72 hours of confirming the incident, with the information available at that time and a plan for remediation.

The database is backed up continuously via Neon point-in-time recovery. Blob storage is durable across multiple availability zones. Restoration procedures are tested periodically.

If you believe you have found a security vulnerability, please email security@quickhitch.app. We will acknowledge within one business day and keep you informed through resolution.