Security at Queath
Last updated: July 2026
Queath is built on a simple principle: be trusted with less. The product is designed around references and instructions (where things are, who to call) rather than collecting your secrets. What you do store is protected in depth.
Data protection
- All traffic is encrypted in transit (HTTPS/TLS).
- Uploaded documents are encrypted with AES-256-GCM before reaching storage; buckets are private and access is via signed, expiring URLs.
- Passwords are hashed with bcrypt; sessions are stored server-side and revocable.
- Database and storage are backed by managed, encrypted infrastructure with backups.
Access control
- Everything is private by default. Trusted contacts see only what you explicitly grant.
- Object-level authorization on every request: users can only reach their own records.
- Emergency access requires your configured workflow: notification, waiting period, and your approval, with instant denial available.
- “Who can see what” shows every grant in one place, with one-click revoke.
Accountability
- Sensitive actions (sign-ins, document access, permission changes, emergency requests, report generation, AI processing) are recorded in an audit log you can review.
- AI/OCR processing runs only with per-document consent, is metered, logged, and deletable.
What we avoid on purpose
- No advertising, no third-party trackers, no data resale; the architecture excludes them.
- No storage of raw passwords or secrets in the standard vault; it holds references and instructions. (An encrypted secrets module with separate consent and recovery design is planned as a distinct premium feature.)
Reporting
Found a vulnerability? Report it through our contact form and choose the security topic. We appreciate responsible disclosure and respond quickly.