Security Policy

Last updated: March 16, 2026

At McQuizzy Inc. ("we", "us", or "our"), the security of your data is a top priority. This Security Policy describes the measures we take to protect your information when you use the McQuizzy website at mcquizzy.com (the "Service").

1. Infrastructure Security

We use industry-leading cloud infrastructure providers to host our Service. Our infrastructure includes:

Hosting: Our application is hosted on Railway with automatic scaling and redundancy.
Database: We use Supabase (built on PostgreSQL) with automated backups, encryption at rest, and row-level security.
CDN: Static assets are served through a content delivery network for performance and DDoS protection.
SSL/TLS: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.

2. Authentication and Access Control

Authentication: We use Clerk for authentication, providing secure sign-in with support for multi-factor authentication (MFA), social login, and passwordless authentication.
Session management: Sessions are securely managed with automatic expiration and token rotation.
Role-based access: Internal systems use role-based access control (RBAC) to ensure employees only access data necessary for their role.

3. Data Encryption

In transit: All data is encrypted in transit using TLS 1.2 or higher.
At rest: All data stored in our databases is encrypted at rest using AES-256 encryption.
Payment data: We use Stripe for payment processing. We never store credit card numbers, CVVs, or other sensitive payment data on our servers. Stripe is PCI DSS Level 1 certified.

4. Application Security

Input validation: All user inputs are validated and sanitized using Zod schemas to prevent injection attacks.
CSRF protection: Cross-site request forgery protections are implemented across the Service.
Rate limiting: API endpoints are rate-limited to prevent abuse and denial-of-service attacks.
Dependency scanning: We regularly scan our dependencies for known vulnerabilities and apply security patches promptly.

5. AI and Data Processing Security

When processing your data through AI features:

We use secure API connections to communicate with AI providers.
Your personal data is not used to train third-party AI models.
AI processing is performed with minimal data exposure. only the data necessary for the specific feature is sent to the AI provider.
We have data processing agreements in place with all AI providers.

6. Monitoring and Incident Response

Monitoring: We continuously monitor our systems for unusual activity, security threats, and performance issues.
Logging: Security-relevant events are logged and retained for analysis and audit purposes.
Incident response: We have an incident response plan in place. In the event of a security breach, we will notify affected users in accordance with applicable laws and regulations.

7. Responsible Disclosure

We value the security community and encourage responsible disclosure of security vulnerabilities. If you discover a security vulnerability in our Service, please report it to us at legal@mcquizzy.ai.

When reporting a vulnerability, please:

Provide a detailed description of the vulnerability and steps to reproduce it.
Allow us reasonable time to investigate and address the issue before making any information public.
Do not access, modify, or delete data belonging to other users.
Do not perform any actions that could negatively impact the Service or its users.

8. Employee Security Practices

All team members undergo security awareness training.
Access to production systems is restricted and logged.
We follow the principle of least privilege for all internal access.
Code changes require peer review before deployment.

9. Compliance

We are committed to maintaining compliance with applicable data protection regulations. For more information, see our Privacy Policy and Data Processing Agreement.

10. Contact Us

If you have any questions about this Security Policy or wish to report a security concern, please contact us at legal@mcquizzy.ai.

1. Infrastructure Security

We use industry-leading cloud infrastructure providers to host our Service. Our infrastructure includes:

Hosting: Our application is hosted on Railway with automatic scaling and redundancy.

Database: We use Supabase (built on PostgreSQL) with automated backups, encryption at rest, and row-level security.

CDN: Static assets are served through a content delivery network for performance and DDoS protection.

SSL/TLS: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher.

2. Authentication and Access Control

Authentication: We use Clerk for authentication, providing secure sign-in with support for multi-factor authentication (MFA), social login, and passwordless authentication.

Session management: Sessions are securely managed with automatic expiration and token rotation.

Role-based access: Internal systems use role-based access control (RBAC) to ensure employees only access data necessary for their role.

3. Data Encryption

In transit: All data is encrypted in transit using TLS 1.2 or higher.

At rest: All data stored in our databases is encrypted at rest using AES-256 encryption.

Payment data: We use Stripe for payment processing. We never store credit card numbers, CVVs, or other sensitive payment data on our servers. Stripe is PCI DSS Level 1 certified.

4. Application Security

Input validation: All user inputs are validated and sanitized using Zod schemas to prevent injection attacks.

CSRF protection: Cross-site request forgery protections are implemented across the Service.

Rate limiting: API endpoints are rate-limited to prevent abuse and denial-of-service attacks.

Dependency scanning: We regularly scan our dependencies for known vulnerabilities and apply security patches promptly.

5. AI and Data Processing Security

When processing your data through AI features:

We use secure API connections to communicate with AI providers.

Your personal data is not used to train third-party AI models.

AI processing is performed with minimal data exposure. only the data necessary for the specific feature is sent to the AI provider.

We have data processing agreements in place with all AI providers.

6. Monitoring and Incident Response

Monitoring: We continuously monitor our systems for unusual activity, security threats, and performance issues.

Logging: Security-relevant events are logged and retained for analysis and audit purposes.

Incident response: We have an incident response plan in place. In the event of a security breach, we will notify affected users in accordance with applicable laws and regulations.

7. Responsible Disclosure

We value the security community and encourage responsible disclosure of security vulnerabilities. If you discover a security vulnerability in our Service, please report it to us at legal@mcquizzy.ai.

When reporting a vulnerability, please:

Provide a detailed description of the vulnerability and steps to reproduce it.

Allow us reasonable time to investigate and address the issue before making any information public.

Do not access, modify, or delete data belonging to other users.

Do not perform any actions that could negatively impact the Service or its users.

Legal

Security Policy

1. Infrastructure Security

2. Authentication and Access Control

3. Data Encryption

4. Application Security

5. AI and Data Processing Security

6. Monitoring and Incident Response

7. Responsible Disclosure

8. Employee Security Practices

9. Compliance

10. Contact Us

Legal

Security Policy

1. Infrastructure Security

2. Authentication and Access Control

3. Data Encryption

4. Application Security

5. AI and Data Processing Security

6. Monitoring and Incident Response

7. Responsible Disclosure

8. Employee Security Practices

9. Compliance

10. Contact Us