Security Overview
Last updated: February 23, 2026
A plain-language summary of how QualMill protects your data.
How Your Data Flows
YouBrowser
HTTPS
QualMillVercel
→→→
↓
SupabaseStorage
AnthropicAI
StripePayments
- Your browser connects to QualMill over encrypted HTTPS
- Transcripts and project data stored in Supabase (encrypted at rest)
- Text content sent to Anthropic for AI processing (not stored long-term)
- Payment info handled by Stripe (never touches our servers)
Infrastructure Security
| Layer | Provider | Compliance | What It Means |
|---|---|---|---|
| Hosting | Vercel | SOC 2 Type II | Application runs on enterprise-grade infrastructure with continuous security monitoring |
| Database | Supabase | SOC 2 Type II | Your data is stored with encryption at rest and row-level access controls |
| AI Processing | Anthropic | Commercial Terms | Content processed via API is not used for model training |
| Payments | Stripe | PCI DSS Level 1 | Credit card data never touches QualMill servers |
Data Protection
Encryption in Transit
All data between your browser and our servers is encrypted using TLS 1.2+. We enforce HTTPS on all connections.
Encryption at Rest
Data stored in our database is encrypted at rest using AES-256 encryption provided by our infrastructure.
Access Controls
- Row-level security ensures users can only access their own projects and data
- Internal access to customer data is role-based, logged, and restricted to authorized personnel
- No customer data is accessed without explicit need (e.g., support request)
Authentication
- Secure session management with automatic expiration
- Passwords hashed using industry-standard algorithms (never stored in plain text)
- Magic link authentication available
AI Processing
QualMill uses Anthropic's Claude API to process transcripts and generate reports.
What gets sent to Anthropic:
- ✓Transcript text (extracted from your uploads)
- ✓Project context (objectives, discussion guide, if provided)
- ✓Your prompts and instructions
What does NOT get sent:
- ✗Original uploaded files (we extract text locally)
- ✗Payment information
- ✗Account credentials
Anthropic's data handling:
- API inputs are not used to train models (per Anthropic's Commercial Terms)
- Anthropic may retain inputs for up to 30 days for abuse monitoring
- After 30 days, data is deleted from Anthropic's systems
Data Retention & Deletion
While your account is active:
- All project data retained and accessible
- You control what stays and what gets deleted
When you delete data:
- Deletion is immediate from our active database
- Backups may retain deleted data for up to 7 days
- Backups are encrypted and access-controlled
When you delete your account:
- All data is permanently deleted
- Stripe subscription is cancelled
- Process completes within 7 days (backup cycle)
What We Don't Do
- ✗Sell your data
- ✗Use your content for advertising
- ✗Train AI models on your data
- ✗Share data with third parties (except subprocessors listed above)
- ✗Access your projects without your permission
HIPAA Disclaimer
QualMill is not HIPAA compliant and does not offer a Business Associate Agreement (BAA). Do not upload protected health information (PHI) or data subject to HIPAA regulations.
Questions?
Contact us at support@qualmill.app for security questions or to request additional documentation.