Security at misquoted.
We measure how accurately AI describes other people's brands. That means we have to take a stricter line on our own.
The honest version.
We measure how accurately AI describes other brands, so we won't overstate our own posture. Here's what's true today across infrastructure, authentication, encryption, and compliance — and what we're still working toward.
The app runs on Cloudflare Workers at the edge; customer data lives in a U.S.-region PostgreSQL database, reached over Cloudflare Hyperdrive. The database connection uses TLS. Cloudflare's network sits in front of every request with DDoS protection and a WAF.
- U.S.-region managed PostgreSQL, via Cloudflare Hyperdrive
- Cloudflare DDoS protection and WAF on every request
- Application-to-database connections require TLS
There is no password to phish, leak, or reuse. Sign-in is a passkey or a one-time magic link; TOTP is supported as a second factor. Recovery codes are stored as scrypt hashes — never in plaintext — and reset attempts are rate-limited.
- WebAuthn passkeys and email magic-link sign-in
- TOTP second factor (RFC 6238)
- Recovery codes hashed with scrypt; rate-limited verification
Traffic to misquoted is served over TLS, terminated at the Cloudflare edge. The database and its backups are encrypted at rest by our managed database provider. Auth endpoints carry HSTS and a strict set of security headers.
- TLS for all traffic, terminated at the Cloudflare edge
- HSTS and strict security headers on authentication endpoints
- Database and backups encrypted at rest by the provider
misquoted launched in 2026 and we are early. We are a small team, and we will not claim certifications we do not hold. Here is what is true today and what we are working toward.
- No SOC 2 report yet — it is on our roadmap, not in hand
- No third-party penetration test on file yet
- GDPR-aligned data handling; DPA available on request
- We will link the artifact here the day a certification is real
How we handle what we learn.
When you scan a domain, we generate a query set, send those queries to third-party AI models, and store the responses verbatim alongside the scores we derive. That bundle is the report. Without it, the report cannot exist.
The report is yours. It's encrypted at rest and scoped to your account — every read is checked against the workspace it belongs to. We do not share it with other customers, and we do not surface it on the public leaderboard unless you explicitly opt in.
For methodology improvement, we aggregate query patterns and scoring signals across all scans — never the raw responses, never anything identifiable. The aggregations stay inside the company.
We do not train AI models on your data. We are not in the foundation-model business and have no plans to be. If our policy on this ever changes, you'll see a 30-day notice email, and the change will be opt-in only.
What's actually wired up.
Not a wish list. These run in the product right now.
Account-scoped access. Every report, scan, and setting is bound to the workspace that owns it, and each request is checked against that boundary before any data is returned.
Audit-logged admin actions. When a member of our team takes a sensitive action on an account — a refund, a suspension, an impersonation session — it is recorded with the actor, the target, and the time before it is allowed to proceed.
Stripe-handled payments. Card details go straight to Stripe and never touch our servers. We store a Stripe reference and your subscription state — never a card number.
Delete a workspace, stop the billing. Deleting a workspace cancels its Stripe subscriptions in the same step — synchronously, not on a delayed job — so a removed workspace is never billed. The workspace is then flagged for deletion and its data removed on our retention schedule.
Per-event email control. Drift alerts, competitor moves, model-release notices, product news — each category is its own switch. One-click unsubscribe (RFC 8058) is honored straight from your inbox, no login required.
We run a responsible-disclosure program. There's no formal bug bounty yet, but we read every report and aim to acknowledge within one business day. Email us and we'll take it from there.
security@misquoted.ai