> ## Documentation Index
> Fetch the complete documentation index at: https://microstrate-1133-notifications-prefs.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Overview

> Understanding QuivaWorks' security features and how to protect your account

# Security Overview

Security is foundational to QuivaWorks' architecture. This guide provides an overview of platform security and helps you navigate our security documentation.

## Quick Security Setup

New to QuivaWorks? Complete these essential security steps:

<Steps>
  <Step title="Enable MFA">
    Set up multi-factor authentication immediately after creating your account

    [Set up MFA →](/essentials/security/authentication)
  </Step>

  <Step title="Save Recovery Codes">
    Store your recovery codes in a password manager or secure location

    [About recovery codes →](/essentials/security/authentication#recovery-codes)
  </Step>

  <Step title="Review Sessions">
    Check your active login sessions and terminate any you don't recognize

    [Manage sessions →](/essentials/security/sessions)
  </Step>

  <Step title="Secure API Keys">
    If using the API, follow best practices for key management

    [API security guide →](/essentials/security/api-keys)
  </Step>
</Steps>

## Platform Security

### Compliance & Certifications

<CardGroup cols={2}>
  <Card title="ISO 27001" icon="certificate">
    Information security management system certified
  </Card>

  <Card title="SOC 2 Type II" icon="file-shield">
    Coming soon - Independent audit of security controls
  </Card>

  <Card title="GDPR Compliant" icon="scale-balanced">
    Full compliance with EU data protection regulations
  </Card>

  <Card title="PCI DSS" icon="credit-card">
    Payment card data security for billing
  </Card>
</CardGroup>

<Note>
  HIPAA compliance is available on Enterprise plans only. [Contact us](/contact) if you need to process protected health information.
</Note>

### Data Protection

<CardGroup cols={2}>
  <Card title="Encryption" icon="lock">
    **At Rest:** AES-256 encryption for all stored data

    **In Transit:** TLS 1.3 for all communications
  </Card>

  <Card title="Data Residency" icon="globe">
    Choose where your data is processed: EU, US, or Australia

    [Configure regions →](/essentials/account/account-settings#managing-account-regions)
  </Card>

  <Card title="Data Isolation" icon="border-all">
    Multi-tenant architecture with logical separation between accounts
  </Card>

  <Card title="Redundancy" icon="copy">
    Minimum 3 servers per account with continuous replication
  </Card>
</CardGroup>

## Account Security Features

### Authentication & Access Control

<CardGroup cols={2}>
  <Card title="Multi-Factor Authentication" icon="shield-check" href="/essentials/security/authentication">
    Protect your account with passkeys or authenticator apps

    **Setup required for Admin/Root users**
  </Card>

  <Card title="Session Management" icon="clock" href="/essentials/security/sessions">
    Monitor and control active logins across all devices

    **24-hour automatic timeout**
  </Card>

  <Card title="API Keys" icon="code" href="/essentials/security/api-keys">
    Secure programmatic access with managed keys

    **3-month automatic expiration**
  </Card>

  <Card title="Role-Based Access" icon="users-gear" href="/essentials/users/roles-permissions">
    Control permissions with 5 predefined roles

    **Apply least privilege principle**
  </Card>
</CardGroup>

### Security Notifications

You'll receive automatic email alerts for important security events:

* Password changes
* Email address change requests
* New passkeys or MFA devices added
* Recovery codes viewed
* New users added to your account

<Warning>
  If you receive a notification for an action you didn't perform, follow our [Incident Response Guide](/essentials/security/incident-response) immediately.
</Warning>

## Security Best Practices

### Essential Security Measures

<AccordionGroup>
  <Accordion title="For All Users" icon="user">
    * Use a strong, unique password (12+ characters)
    * Enable MFA immediately after account creation
    * Store recovery codes in a password manager
    * Review active sessions monthly
    * Keep your browser and OS updated

    [Detailed user security guide →](/essentials/security/authentication)
  </Accordion>

  <Accordion title="For Administrators" icon="user-shield">
    * Require MFA for all users (especially Admin/Root)
    * Apply least privilege when assigning roles
    * Conduct monthly security audits
    * Implement proper offboarding procedures
    * Provide regular security training

    [User management guide →](/essentials/users/user-management)
  </Accordion>

  <Accordion title="For Developers" icon="code">
    * Never hardcode API keys in source code
    * Use environment variables or secret managers
    * Rotate API keys every 3 months
    * Implement proper error handling
    * Always use HTTPS for API calls

    [API security best practices →](/essentials/security/api-keys)
  </Accordion>
</AccordionGroup>

## If Something Goes Wrong

<Card title="Incident Response" icon="triangle-exclamation" href="/essentials/security/incident-response">
  **Suspect a security breach?** Follow our step-by-step incident response guide to secure your account and minimize damage.

  **Common indicators:**

  * Unfamiliar login locations
  * Unexpected account changes
  * Suspicious resource activity
  * Unusual billing charges
</Card>

## Privacy & Data Handling

### What We Collect

We collect only what's necessary to provide our service:

* Account information (email, name, company details)
* Usage information (login activity, API usage, resource modifications)
* Billing information (processed by Stripe)

**We never:**

* Sell your data to third parties
* Use your data to train AI models
* Share data between accounts
* Access your data without permission

### Your Rights Under GDPR

<CardGroup cols={2}>
  <Card title="Right to Access" icon="folder-open">
    Request a copy of your personal data
  </Card>

  <Card title="Right to Rectification" icon="pen">
    Update your information in account settings
  </Card>

  <Card title="Right to Erasure" icon="trash-can">
    Delete your account and all data

    [Close account →](/essentials/account/closing-account)
  </Card>

  <Card title="Right to Portability" icon="download">
    Export your data via buckets
  </Card>
</CardGroup>

Contact [support@quiva.ai](mailto:support@quiva.ai) to exercise your rights.

## Vulnerability Reporting

<Info>
  We appreciate responsible disclosure of security vulnerabilities.
</Info>

If you discover a security issue:

1. **Do not** publicly disclose or exploit the vulnerability
2. Email [support@quiva.ai](mailto:support@quiva.ai) with:
   * Detailed description and steps to reproduce
   * Potential impact assessment
   * Your contact information
3. Allow reasonable time for us to address the issue

**Our commitment:**

* Acknowledge reports within 48 hours
* Provide regular updates on remediation
* Address critical vulnerabilities within 24 hours
* Credit researchers after deployment (if desired)

## Security Resources

<CardGroup cols={2}>
  <Card title="Authentication Guide" icon="lock" href="/essentials/security/authentication">
    Set up MFA, passkeys, and manage passwords
  </Card>

  <Card title="Session Management" icon="clock" href="/essentials/security/sessions">
    Monitor and control active logins
  </Card>

  <Card title="API Key Security" icon="code" href="/essentials/security/api-keys">
    Best practices for programmatic access
  </Card>

  <Card title="Incident Response" icon="triangle-exclamation" href="/essentials/security/incident-response">
    What to do if your account is compromised
  </Card>

  <Card title="User Management" icon="users" href="/essentials/users/user-management">
    Control team access and permissions
  </Card>

  <Card title="Privacy Policy" icon="file-contract" href="https://quiva.ai/legal.html#privacy">
    Complete privacy policy and data practices
  </Card>
</CardGroup>

## Security Checklist

Quick reference for maintaining account security:

### Initial Setup

* [ ] Enable MFA (passkey or authenticator app)
* [ ] Save recovery codes securely
* [ ] Configure account regions for compliance
* [ ] Set up strong, unique password

### Monthly

* [ ] Review all active sessions
* [ ] Audit active API keys
* [ ] Check for unused user accounts
* [ ] Verify billing activity

### Quarterly

* [ ] Review user roles and permissions
* [ ] Rotate API keys
* [ ] Update security documentation
* [ ] Conduct team security training

### As Needed

* [ ] Follow offboarding procedures for departing users
* [ ] Investigate security notification emails
* [ ] Review incident response plan
* [ ] Update emergency contact information

## Getting Help

<CardGroup cols={3}>
  <Card title="Security Issues" icon="shield-halved" href="mailto:support@quiva.ai">
    [support@quiva.ai](mailto:support@quiva.ai)

    Vulnerabilities and incidents
  </Card>

  <Card title="Privacy Questions" icon="user-lock" href="mailto:support@quiva.ai">
    [support@quiva.ai](mailto:support@quiva.ai)

    GDPR and data privacy
  </Card>

  <Card title="General Support" icon="life-ring" href="https://quiva.ai/help-center/">
    Account and technical support
  </Card>
</CardGroup>