Security

Security at Kwestra

Effective: 1 January 2026  |  Last reviewed: 1 May 2026  |  Version 1.0

Infrastructure

Kwestra runs on Cloudflare Workers, a serverless edge platform. There are no persistent application servers to harden or patch. Each request is handled in an isolated V8 environment that is discarded after the response is sent. Compute runs at Cloudflare's edge nodes, not in a single data centre.

All traffic is encrypted in transit via TLS 1.2 or higher. Cloudflare provides DDoS mitigation, bot management, and WAF rules as part of the baseline infrastructure.

Data storage

Client data is stored in Cloudflare D1 (SQLite-compatible managed database) and Cloudflare R2 object storage. Both are encrypted at rest by the platform. Kwestra does not operate its own database servers. Backups are managed by Cloudflare with regional redundancy. We do not store data in regions that conflict with your compliance requirements - talk to us if this is a constraint.

Authentication

User authentication is handled by Clerk (clerk.com), a dedicated auth provider. Clerk supports multi-factor authentication (MFA) for all accounts - we recommend enabling it. Passwords are never stored by Kwestra; credential management is delegated entirely to Clerk. Organisation-level role separation (admin, member) is enforced at the API layer on every request.

API keys issued to clients are hashed before storage. We do not hold recoverable copies of issued API credentials.

What we do not store

  • Plain-text passwords. The Clerk migration replaced all legacy password hashes.
  • Payment card data. Payment links go through Stripe; no card numbers reach our systems.
  • Sensitive personal data beyond what is necessary to deliver the contracted service.

Access controls

Internal access to production systems is restricted to named individuals with a documented business need. We use short-lived credentials and review access grants quarterly. No engineer has standing write access to production data stores.

Responsible disclosure

If you find a security vulnerability in any Kwestra system, please report it to [email protected]. We follow a 90-day coordinated disclosure timeline: we ask that you give us 90 days to investigate and remediate before publishing details publicly. We will acknowledge your report within two business days and keep you updated on progress.

We do not currently offer a bug bounty programme, but we will acknowledge researchers who report valid vulnerabilities responsibly.

Questions

For security questions not covered here, contact [email protected].