How we keep your account, your queries, and the platform itself safe.
| HSTS | Submitted to the Chrome HSTS preload list. Every browser that ships with the preload (Chrome, Firefox, Safari, Edge) refuses HTTP on quintarthai.com. |
| TLS | TLS 1.3 only. Modern cipher suites. Certificate via Let's Encrypt with 90-day auto-renewal. |
| Content Security Policy | Strict-dynamic with per-request nonces. Blocks inline scripts not signed with the request's nonce. Reports go to /api/v1/csp-report. |
| Frame ancestors | frame-ancestors 'self'. The trading SPA legitimately iframes /app/?embed=trading; no third-party frames allowed. |
| Cookies | Session cookies are HttpOnly · Secure · SameSite=Strict. JWT for API auth carried in Authorization: Bearer header. |
| CSRF | Same-site cookies + auth header binding. State-changing endpoints reject cross-origin requests. |
| Hosting | Canadian-controlled VPS (Hostinger KVM, Boston-fronted). Quintessentia Network Inc. (Niagara Falls, ON) is the data controller under PIPEDA. |
| API gating | 29 proprietary endpoints (insider analytics, microstructure, signal-research routes) require authentication. Verified by automated audit on every deploy. Public endpoints (/api/v1/themes, /api/v1/status/health, marketing data) are explicit and minimal. |
| Database | PostgreSQL with role-based access. Daily pg_dump backups, 30-day retention. |
| Secrets | Loaded from server-side .env files (mode 0600). Never bundled into frontend assets. JWT signing key rotated on a schedule. |
| Rate limiting | Nginx limit_req on /api/ catch-all (burst=20). LLM endpoints have per-user daily quotas (10 / 200 / 500 / Unlimited per pricing tier). |
| Monitoring | Public status page reports 7 components (FastAPI, Postgres, Redis, Ollama, Qdrant, Celery worker, Celery beat). 60-second snapshot recorder + 8-day uptime history. |
| PIPEDA | We collect the minimum needed to operate (email, password hash, billing). User queries retained 90 days for debugging + RLHF then aggregated. See the Privacy Policy. |
| Quebec Law 25 | French-language privacy notice at /legal/politique-de-confidentialite.html. Cross-border transfers disclosed. |
| Imported broker data | Broker CSV imports stay in your browser's localStorage. Never uploaded to our servers. You can “Reset to demo” from the Portfolio page at any time. |
| Third-party LLM providers | Quinn calls Groq, Anthropic, and locally-hosted Ollama. We do not opt in to any “use my queries to train your model” features. See the AI Transparency page. |
| No PII to ad networks | No third-party trackers, no Facebook pixel, no GA4. We log own-origin telemetry only. |
Email security@quintarthai.com with reproduction steps. We commit to:
We don't have a paid bug-bounty program yet. Responsible disclosure only — please don't test against accounts you don't own.
More questions? hello@quintarthai.com. Last reviewed 2026-04-24.