Sign in
Book a Demo

SECURITY PRACTICES

Quotely Labs Inc.

Last Updated: May 8th, 2026

1. Introduction

Our customers depend on Quotely to provide AI-powered quoting software at speed and scale. In today’s sophisticated security landscape, Quotely has implemented industry-leading security practices and controls to keep our customers’ business data safe. This document provides an overview of Quotely’s data security practices, both internally and across various environments.

Quotely is a Canadian corporation subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), applicable provincial privacy laws including Quebec’s Law 25, and, where applicable, the EU General Data Protection Regulation (GDPR) and UK data protection legislation. This document is intended to help customers and partners understand how we protect the data entrusted to us.

2. Compliance

Quotely’s products are designed to serve a growing number of use cases. As some of those use cases may involve regulated forms of data, customers are ultimately responsible for complying with the laws governing the data they submit to Quotely, including laws regarding the privacy and protection of personal, sensitive, and/or financial data. Quotely provides assistance to help customers meet their compliance goals, as described in our Data Protection Agreement (DPA).

Quotely maintains a suite of rigorous security policies that meet or exceed industry standards. The specifics of Quotely’s security practices are described in detail below.

For Canadian Residents

Canadian residents have specific privacy protections under PIPEDA and applicable provincial legislation (including Quebec’s Act respecting the protection of personal information in the private sector — Law 25/Bill 64). Quotely’s Privacy Policy. [link “Privacy Policy” to the actual privacy then delete this message]

For U.S. Residents

U.S. residents in states with applicable privacy laws (including California, Colorado, Connecticut, Utah, and Virginia) have specific protections as described in Quotely’s Privacy Policy and DPA Appendix 5.  [link “Privacy Policy” to the actual privacy then delete this message]

For EU and UK Residents

EU and UK residents have specific protections under the GDPR and UK data protection legislation as described in Quotely’s Privacy Policy and Data Protection Agreement.

3. Privacy & Compliance Officers

Quotely has designated the following individuals responsible for privacy and security compliance:

Data Protection Officer (DPO): Simon Bullard

Security Contact:  simon@quoteperfectly.com

As required by the GDPR (where applicable), Quotely has appointed a Data Protection Officer. Data subjects wishing to exercise their rights under applicable privacy law (including rights to access, correction, restriction, and deletion of personal data) may contact the DPO at the email address above.

4. Physical Security

Quotely personnel are trained on policies and proper security steps that must be taken with office equipment such as laptops, printers, mobile devices, removable media, and visible office spaces (such as desks and screens). Specifically:

  • All company-issued laptops and mobile devices are protected with full-disk encryption and screen lock policies.
  • Employees are required to lock their screens when leaving their workstations unattended.
  • Physical access to offices and server rooms (where applicable) is restricted to authorized personnel.
  • Visitors to Quotely’s facilities must be signed in and escorted by a Quotely employee.
  • Employees are trained on clean-desk policies to prevent unauthorized viewing of confidential information.
  • Removable media (USB drives, external drives) are subject to use restrictions and must be encrypted if used to store customer data.

Quotely’s primary infrastructure is hosted in certified cloud environments with physical security controls maintained by the cloud provider (see Section 8: Data Storage & Cloud Infrastructure).

5. Access Controls

Quotely restricts access to confidential information (including customer data), networks, and other resources based on job function and business need. Access is governed by the principle of least privilege.

5.1 Role-Based Access Control (RBAC)

Quotely’s platform provides role-based access control, allowing customers to restrict data access to authorized personnel only. The following roles are available within the Quotely platform:

  • Standard User: Can view and interact with quotes and customer data assigned to them. Suitable for frontline staff generating and managing quotes.
  • Manager: Has all Standard User permissions, plus the ability to view team-level reporting and manage assigned staff. Cannot modify account-wide settings.
  • Administrator: Has full permissions including account-wide settings, user management, and access to all customer data within the account. This role should be assigned to a limited number of individuals.

5.2 Internal Systems Access

For access to Quotely’s internal corporate systems and production infrastructure:

  • All requests for new or modified access are submitted, reviewed, and logged.
  • Quotely uses identity management software with multi-factor authentication (MFA) required for all accounts with access to production systems or customer data.
  • Access to production environments, source code repositories, and cloud services is restricted to authorized engineering and operations personnel.
  • Access privileges (including administrator privileges) are tailored to job function and require management approval.
  • Access is reviewed at least quarterly; access for departing employees is revoked within 24 hours of their last day.

6. Email Security

Quotely protects outbound email using modern authentication and verification standards to prevent spoofing, phishing, and impersonation:

  • SPF (Sender Policy Framework): Publishes authorized sending IP addresses to prevent unauthorized senders from using Quotely’s domain.
  • DKIM (DomainKeys Identified Mail): Digitally signs outbound emails to verify authenticity and detect tampering in transit.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance): Enforces SPF and DKIM policies and provides reporting to detect unauthorized email use.
  • Inbound email scanning: Automated scanning of incoming and outgoing emails for malware, phishing, and spam.

These protections apply both to employee mailboxes and to automated software-generated messages (such as quote notifications and password reset links) to minimize the risk of impersonation across all of Quotely’s communications.

7. Encryption

7.1 Data Encryption In Transit

Quotely uses industry-standard TLS (Transport Layer Security) 1.2 or higher for all data transmitted between customers and Quotely’s servers. This means:

  • All connections to Quotely’s web application, APIs, and services are encrypted in transit.
  • HTTPS is enforced across all endpoints; unencrypted HTTP connections are rejected or redirected.
  • SSL/TLS configurations are routinely monitored and updated to comply with current best practices and deprecate weak cipher suites.

7.2 Data Encryption at Rest

All Customer Personal Data stored by Quotely is encrypted at rest using AES-256 (Advanced Encryption Standard with 256-bit keys). This applies to:

  • Textual data stored in Quotely’s primary database
  • Images and multimedia files submitted by customers for the purpose of receiving a quote
  • Backups and snapshots of customer data

Encryption at rest cannot be disabled for any customer deployment.

8. Data Storage & Cloud Infrastructure

Quotely’s platform is hosted on industry-leading cloud infrastructure. Customer data is stored in secure, access-controlled cloud environments with the following characteristics:

  • Primary database and application servers are hosted on [Cloud Provider: Azure / Google Cloud ], which maintains SOC 2 Type II, ISO 27001, and other certifications.
  • Customer-submitted images and multimedia files are stored in secure object storage (Azure) with server-side encryption and access controls.
  • All cloud resources are managed using infrastructure-as-code practices to ensure consistent, auditable configuration.
  • Access to cloud environments is restricted to authorized Quotely personnel and requires MFA.
  • Cloud provider physical security controls include 24/7 surveillance, access card systems, and on-site security personnel at data center facilities.

Customer data is stored in Canada where possible. Where data must be stored or processed outside Canada (for example, when using third-party Subprocessors), Quotely ensures appropriate safeguards are in place as described in the DPA.

9. Data Backups & Resilience

All data submitted to Quotely is backed up to ensure resilience against natural disasters, hardware failures, or other disruptions:

  • Databases are snapshotted automatically on a regular schedule (at minimum daily) and retained for a minimum of 30 days.
  • Multimedia uploads (including customer-submitted images) are backed up to a geographically separate storage location.
  • Backup integrity is tested periodically to ensure restorability.
  • Access to backup data is controlled by the same role-based access and MFA requirements as production data.

Quotely maintains a Business Continuity and Disaster Recovery (BCDR) plan that is reviewed and tested at least annually.

10. Payment Security

Quotely integrates with PCI DSS-compliant third-party payment processors (including Stripe) for payment processing. As a result:

  • Quotely does not store, transmit, or process full payment card numbers (PANs) on its own systems.
  • Payment credentials are collected and handled exclusively by the payment processor’s secure, PCI DSS-certified environment.
  • Quotely retains only tokenized payment references provided by the payment processor for the purpose of billing and subscription management.
  • Quotely’s integration with payment processors is reviewed periodically to ensure compliance with current PCI DSS requirements.

11. Intrusion Detection & Vulnerability Management

Quotely employs a layered approach to detecting and responding to security threats:

  • Cloud-based vulnerability scanning is performed regularly to detect server misconfigurations, missing security patches, encryption weaknesses, and common application vulnerabilities (including SQL injection and cross-site scripting).
  • Automated alerting is in place for anomalous access patterns, failed authentication attempts, and unusual data access events.
  • Application-layer security controls, including input validation and output encoding, are implemented across Quotely’s web application and APIs.
  • Security patches for operating systems, runtime environments, and third-party dependencies are applied on a regular cadence.
  • Quotely conducts or commissions penetration testing periodically. Results are reviewed and remediation actions are tracked to completion.

Customers may request information about Quotely’s vulnerability management practices by contacting team@quoteperfectly.com.

12. Secure Disposal

When Customer Personal Data is no longer required (for example, upon termination of the Principal Agreement or at Customer’s request), Quotely ensures secure disposal of such data:

  • Customer data is deleted from production systems within 90 days of the Relevant Date (as defined in the DPA), unless retention is required by applicable law.
  • Deletion procedures ensure that data cannot be recovered or reconstructed after deletion (i.e., secure erasure or cryptographic erasure is used).
  • Backups containing Customer Personal Data are purged in accordance with the applicable backup retention schedule.
  • Upon request, Quotely will provide written certification that Customer Personal Data has been securely deleted.

For hardware decommissioning, all storage media is securely wiped or physically destroyed in accordance with industry standards (NIST 800-88 or equivalent) before disposal or reuse.

13. Vendor & Subprocessor Management

Quotely retains suppliers, subprocessors, and other vendors (“Vendors”) who may from time to time perform services for Quotely or for customers on Quotely’s behalf. Quotely only retains those Vendors that meet Quotely’s security criteria to ensure they provide at least the same level of protection to customer data as Quotely does.

  • Quotely conducts security due diligence on all Vendors prior to engagement, including review of their security certifications, policies, and practices.
  • Vendors are bound by written data processing agreements that impose data protection obligations at least as protective as those in Quotely’s DPA.
  • Vendors are provided access only to the customer data strictly necessary for their function.
  • Quotely maintains a list of approved Subprocessors, which is available to customers upon request and referenced in the DPA.
  • Periodically, Quotely may ask a Vendor to re-evaluate its security posture to ensure continued compliance with evolving privacy and security requirements.

14. Employee Security Training

Quotely maintains a security-aware culture through ongoing employee education and policy enforcement:

  • All new employees complete security and privacy awareness training as part of onboarding.
  • Ongoing training is provided at least annually, covering topics including phishing awareness, secure data handling, incident reporting, and acceptable use policies.
  • Employees with access to customer data sign confidentiality agreements and are trained on data handling responsibilities.
  • Quotely maintains and enforces an Acceptable Use Policy governing the use of company systems, devices, and data.

15. Incident Response & Breach Notification

Quotely maintains a documented Incident Response Plan (IRP) to ensure rapid, coordinated, and effective response to security incidents:

  • Security incidents are triaged, contained, and investigated as a priority.
  • In the event of a Personal Data Breach (as defined in Quotely’s DPA), Quotely will notify affected customers without undue delay and in any event within 72 hours of becoming aware of the breach.
  • Breach notifications will include the nature of the breach, categories and approximate number of individuals affected, likely consequences, and remediation steps taken or planned.
  • Quotely cooperates with customers and relevant regulatory authorities (including the Office of the Privacy Commissioner of Canada and applicable EU/UK supervisory authorities) in the investigation and reporting of incidents.
  • Post-incident reviews are conducted to identify root cause and prevent recurrence.

Customers should report any suspected security incidents involving Quotely’s services to team@quoteperfectly.com.

16. Responsible Disclosure: Reporting a Vulnerability

If you believe you have found a security vulnerability in any Quotely property, please report it responsibly to team@quoteperfectly.com. We review all reports and may offer recognition or reward for vulnerability reports that, on review, genuinely help improve Quotely’s security.

Please include the following information when reporting a vulnerability:

  1. Description of the vulnerability.
  2. Category (e.g., DoS, XSS, CSRF, Information Leak, SQL Injection, Authentication Bypass, Remote Code Execution, etc.).
  3. Steps to reproduce the vulnerability.
  4. Browser, OS, and/or platform, if relevant.
  5. How you found the bug (e.g., automated scanner, manual testing, custom tooling).
  6. Whether you believe this vulnerability is being actively exploited.

Quotely asks that you act in good faith: please do not access, modify, or exfiltrate customer data beyond what is necessary to demonstrate the vulnerability, and please allow us reasonable time to investigate and remediate before any public disclosure.

17. Updates to This Document

Quotely may update this Security Practices document from time to time to reflect changes in our practices, technologies, or legal obligations. The “Last Updated” date at the top of this document indicates when it was most recently revised. Customers are encouraged to review this document periodically. Material changes will be communicated to customers via email or through our platform.

For the most current version of this document, please visit [quotely.com/legal/security-practices] or contact us at team@quoteperfectly.com.

This document is provided for informational purposes only and does not constitute a legal agreement. For contractual commitments regarding data protection, please refer to Quotely’s Data Protection Agreement (DPA).