Security

Last updated: April 19, 2026

Security is a core feature of VeriQuery, not an afterthought. This page summarises the technical and administrative controls we employ to protect your data.

Data Encryption

In Transit: All data exchanged between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across the entire platform.
At Rest: Survey content and responses are stored in encrypted volumes using AES-256 encryption, provided by MongoDB Atlas.
Passwords: We never store plaintext passwords. All credentials are hashed using the Argon2 algorithm — the current industry standard for resistance against GPU-based cracking attacks.

Infrastructure & Hosting

VeriQuery is hosted on AWS and uses MongoDB Atlas for database storage. Both providers hold SOC 2 Type II and ISO 27001 certifications, meaning their data centres are independently audited for physical and operational security controls including 24/7 guarded access, biometric scanning, and redundant power and cooling.

Authentication & Identity

Passwords are hashed with Argon2 before storage. We never see your plaintext password.
All official VeriQuery communications — account confirmations, password resets, billing receipts — are sent exclusively from @magicapps.dev addresses. If you receive an email claiming to be from VeriQuery from any other domain, treat it as a phishing attempt.

Data Isolation

Every database query is programmatically constrained to the authenticated user's ID at the data-access layer. This prevents Insecure Direct Object Reference (IDOR) vulnerabilities: even if a survey or response record ID were guessed, the query would return no data for any user other than the owner. Logical separation is enforced on every document in the system.

Development Security

All code changes are submitted as pull requests and require peer review before merging.
Dependencies are monitored for known vulnerabilities via automated scanning (Dependabot).
Sensitive credentials are never committed to source control; they are managed exclusively through environment variables.

Resiliency & Backups

Automated database snapshots are taken daily with cross-region redundancy. We perform quarterly restore tests to verify backup integrity and recovery speed.

Incident Response

In the event of a confirmed security incident involving personal data, we will notify affected account holders by email within 72 hours of confirmation, consistent with GDPR requirements. A notice will also be posted publicly. Our full Incident Response Plan is available to enterprise customers and security reviewers upon request.

Reporting a Vulnerability

If you discover a potential security issue, please contact us at [email protected]. We will acknowledge your report within 48 hours. Please do not disclose the issue publicly until we have had a chance to investigate and address it.

Documents

The following documents are available for download. They contain more detailed information about our security controls and incident response procedures.