Security & Compliance

Your data is our responsibility.

Setell handles sensitive business data — customer emails, quotes, invoices, and financial integrations. We treat every byte with the care it deserves. This policy describes how we protect it.

Effective Date
March 27, 2026
Scope
This policy applies to all Setell services, including the web application (app.setell.ai), APIs, integrations, and internal systems.
Contact
Security concerns: security@setell.ai
Privacy inquiries: privacy@setell.ai

1. Data We Collect

Data classification & collection

We collect only what is necessary to operate the service. All data is classified by sensitivity and handled accordingly.

Account Data
Information you provide during signup and OAuth authentication.
  • Name and email address (via Google OAuth)
  • Profile image (Google profile)
  • Subscription and billing status (via Stripe)
Business Data
Data created through your use of Setell.
  • Inbound emails and quote requests
  • Quotes, line items, and revision history
  • Customer records (name, email, phone, company)
  • Job metadata and status history
Integration Credentials
OAuth tokens for connected services — never stored in plaintext at rest.
  • Gmail OAuth tokens (read, send, modify scopes)
  • QuickBooks Online OAuth tokens
  • Slack bot tokens

2. Authentication

Authentication & access control

Single Sign-On (SSO)
All user authentication is handled via Google OAuth 2.0. Setell never stores, transmits, or has access to your Google password. Sessions are managed with signed, httpOnly, secure cookies with SameSite protection.
Session Management
  • JWT-based sessions with server-side validation
  • HttpOnly, Secure, SameSite=Lax cookies in production
  • Sessions expire automatically after inactivity
  • Immediate session invalidation on logout
API Authentication
All internal APIs require a valid session token. Webhook endpoints use HMAC-SHA256 signature verification with timing-safe comparison. Background job endpoints use bearer token authentication with timing-safe validation.
Principle of Least Privilege
  • OAuth scopes are limited to minimum required permissions
  • Gmail: read, send, and modify (no admin or full-access scopes)
  • QuickBooks: accounting scope only
  • Every API request is validated against the authenticated user's ownership of the requested resource

3. Encryption

Data encryption

In Transit
All data transmitted between your browser and Setell is encrypted using TLS 1.2+ (HTTPS). This applies to all web traffic, API calls, webhook payloads, and OAuth token exchanges. HSTS headers enforce HTTPS-only connections.
At Rest
All data stored in our database is encrypted at rest using AES-256 encryption provided by our infrastructure provider. OAuth integration tokens receive an additional layer of application-level encryption before storage.

4. Infrastructure

Infrastructure security

Setell runs on enterprise-grade cloud infrastructure with security built into every layer.

Hosting & Compute
  • Application hosted on AWS (Amplify / Lambda)
  • Serverless architecture — no persistent servers to patch
  • CloudFront CDN with automatic TLS certificate management
  • AWS infrastructure is SOC 2 Type II and ISO 27001 certified
Database
  • PostgreSQL 16 hosted on Neon (SOC 2 Type II certified)
  • All connections require SSL/TLS
  • Automated daily backups with point-in-time recovery
  • No direct database access — all queries go through Prisma ORM with parameterized queries (SQL injection prevention)
Network Security
  • All endpoints served over HTTPS with HSTS enforcement
  • Security headers: X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy
  • Rate limiting on all public-facing endpoints
  • DDoS protection via AWS CloudFront and Shield

5. Third-Party Services

Integration security

Setell integrates with trusted third-party services. Each integration follows strict security standards.

Google (Gmail & OAuth)
  • OAuth 2.0 with minimal scopes (gmail.readonly, gmail.send, gmail.modify)
  • Tokens refreshed automatically; revocable at any time via Google account settings
  • Webhook notifications verified via Google OIDC token validation
  • Compliant with Google API Services User Data Policy and Limited Use requirements
Intuit QuickBooks Online
  • OAuth 2.0 with accounting scope only
  • Webhook payloads verified with HMAC-SHA256 signatures
  • Sync failures are logged and surfaced — they never block user workflows
  • All QuickBooks API operations are logged in an audit trail
Stripe (Billing)
  • Setell never stores credit card numbers — all payment processing is handled by Stripe (PCI DSS Level 1 certified)
  • Webhook signatures verified using Stripe's official SDK
  • Subscription state changes are logged and auditable
Anthropic (Claude AI)
  • Used for quote drafting, email parsing, and revision assistance
  • No customer PII is sent to the AI model unless it is contained in the email body being processed
  • Anthropic does not use API inputs for model training (per Anthropic's commercial API terms)
  • All AI outputs are validated against strict schemas before use

6. API Security

Webhook & API protection

Signature Verification
Every inbound webhook (Stripe, QuickBooks, Gmail) is cryptographically verified using HMAC-SHA256 or OIDC token validation before any data is processed. Timing-safe comparison functions prevent side-channel attacks.
Input Validation
All API inputs — user-submitted, webhook payloads, and AI outputs — are validated against strict Zod schemas before reaching the database. Prisma ORM provides parameterized queries, eliminating SQL injection vectors.
Rate Limiting
All endpoints are rate-limited to prevent abuse. AI-powered endpoints have additional token-bucket rate limiting to prevent cost-based denial of service. Repeated failed authentication attempts trigger temporary lockout.
Error Handling
Error responses never expose internal system details, stack traces, or database schemas. All errors are logged internally with full context for debugging while returning safe, generic messages to clients.

7. GDPR Compliance

General Data Protection Regulation (EU/EEA)

Setell is committed to compliance with GDPR for users in the European Union and European Economic Area.

Lawful Basis for Processing
We process personal data under the following legal bases:
  • Contract performance — to provide the Setell service you signed up for
  • Legitimate interest — for security monitoring, fraud prevention, and service improvement
  • Consent — where required, such as optional analytics and marketing communications
Your Rights Under GDPR
  • Right of access — request a copy of all personal data we hold about you
  • Right to rectification — correct inaccurate personal data
  • Right to erasure — request deletion of your personal data ('right to be forgotten')
  • Right to data portability — receive your data in a machine-readable format
  • Right to restrict processing — limit how we use your data
  • Right to object — object to processing based on legitimate interest
  • Right to withdraw consent — withdraw consent at any time without affecting prior processing
Data Processing
  • Data Processing Agreements (DPAs) are in place with all sub-processors
  • Data transfers outside the EU/EEA are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards
  • We maintain a Record of Processing Activities (ROPA) as required under Article 30
  • A Data Protection Officer (DPO) can be reached at privacy@setell.ai
Data Retention
  • Active account data is retained for the duration of the subscription
  • After account deletion, personal data is purged within 30 days
  • Anonymized, aggregated analytics data may be retained indefinitely
  • Backup data containing personal information is purged within 90 days of deletion request

8. CCPA Compliance

California Consumer Privacy Act (CCPA/CPRA)

California residents have specific rights regarding their personal information under the CCPA and its amendment, the CPRA.

Your Rights Under CCPA
  • Right to know — what personal information we collect, use, disclose, and sell
  • Right to delete — request deletion of personal information we have collected
  • Right to opt-out — opt out of the sale or sharing of personal information
  • Right to non-discrimination — equal service and pricing regardless of exercising privacy rights
  • Right to correct — request correction of inaccurate personal information
  • Right to limit use of sensitive personal information
Our Practices
  • We do NOT sell personal information to third parties
  • We do NOT share personal information for cross-context behavioral advertising
  • We do NOT use or disclose sensitive personal information for purposes other than providing the service
  • We respond to verified consumer requests within 45 days
  • Requests can be submitted to privacy@setell.ai

9. Google API Compliance

Google API Services User Data Policy

Setell's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Limited Use Disclosure
  • Setell only requests access to Gmail data necessary to provide quoting and invoicing functionality
  • We do not use Gmail data for advertising or to serve ads
  • We do not allow humans to read your email content, except where you have given explicit consent, where it is necessary for security purposes (e.g., investigating abuse), or where required by law
  • We do not transfer Gmail data to third parties except as necessary to provide the service, with your consent, or as required by law
Data Usage
  • Gmail data is used solely to parse incoming quote requests and draft outgoing quote emails
  • Email content is processed by our AI service (Anthropic Claude) only for quote generation — Anthropic does not use API inputs for training
  • You can disconnect Gmail and revoke access at any time from Settings or your Google account
  • Upon disconnection, your Gmail credentials are immediately deleted from our systems

10. Monitoring

Observability & security monitoring

Error & Event Tracking
  • Real-time error tracking and alerting via Sentry
  • Structured event logging via Axiom for all authentication, webhook, and job lifecycle events
  • AI operation tracing via Langfuse for model call auditing
Audit Logging
  • All authentication events (login, logout, OAuth grants) are logged
  • All QuickBooks sync operations are logged with full request/response audit trail
  • Quote revisions maintain an immutable version history — quotes are never mutated, only versioned
  • Webhook signature verification failures are logged and alerted
Incident Detection
  • Automated alerting on repeated authentication failures
  • Monitoring for anomalous API usage patterns
  • Real-time dashboards for system health and security events
  • 24-hour response SLA for critical security alerts

11. Incident Response

Security incident response plan

We maintain a formal incident response plan to handle security events swiftly and transparently.

1
Detection & Triage
Security events are detected via automated monitoring (Sentry, Axiom) and classified by severity within 1 hour of detection.
2
Containment
Affected systems are isolated. Compromised credentials are rotated immediately. Affected user sessions are invalidated.
3
Investigation & Remediation
Root cause analysis is performed. Vulnerabilities are patched. Additional monitoring is deployed to prevent recurrence.
4
Notification
Affected users are notified within 72 hours (GDPR requirement) or 'without unreasonable delay' (CCPA requirement). Regulatory authorities are notified as required by applicable law.
5
Post-Incident Review
A post-mortem is conducted for every security incident. Findings are documented and security controls are updated to prevent similar incidents.

12. Responsible Disclosure

Vulnerability disclosure program

Reporting a Vulnerability
If you believe you have found a security vulnerability in Setell, please report it to security@setell.ai. Please include a description of the vulnerability, steps to reproduce, and any relevant supporting material.
Our Commitment
  • We will acknowledge receipt within 24 hours
  • We will provide an initial assessment within 72 hours
  • We will not take legal action against researchers acting in good faith
  • We will credit researchers (with permission) in our security acknowledgments
  • We ask that you do not publicly disclose the vulnerability until we have had reasonable time to address it

13. Organizational Security

People, process & governance

Secure Development
  • All code changes go through peer review before merging
  • Automated CI/CD pipeline with linting, type checking, and test suites
  • Dependencies are audited for known vulnerabilities
  • Secrets are never committed to source code — all credentials come from environment variables
  • TypeScript strict mode with no 'any' types permitted
Access Controls
  • Production infrastructure access is restricted to authorized personnel only
  • All administrative access requires multi-factor authentication
  • Access permissions are reviewed quarterly
  • Former personnel access is revoked immediately upon departure
Business Continuity
  • Automated database backups with point-in-time recovery
  • Multi-region infrastructure failover capability
  • Serverless architecture eliminates single points of failure
  • Disaster recovery plan tested and documented

14. Compliance

Compliance & certifications

Google OAuth Verification
In Progress
Setell is undergoing Google OAuth verification and security assessment to meet Google API Services User Data Policy requirements, including Limited Use compliance.
GDPR
Compliant
Full compliance with the General Data Protection Regulation, including data subject rights, Data Processing Agreements with sub-processors, and Standard Contractual Clauses for international transfers.
CCPA / CPRA
Compliant
Full compliance with the California Consumer Privacy Act and California Privacy Rights Act, including consumer rights, data disclosure requirements, and opt-out mechanisms.
SOC 2 Type II
Planned
SOC 2 Type II audit is on our compliance roadmap. Our infrastructure providers (AWS, Neon, Stripe) are all SOC 2 Type II certified.
ISO 27001
Planned
ISO 27001 certification for our Information Security Management System (ISMS) is planned as part of our enterprise compliance roadmap.
PCI DSS
N/A (Stripe)
Setell does not store, process, or transmit credit card data directly. All payment processing is handled by Stripe, which is PCI DSS Level 1 certified.

15. Breach Notification

Data breach notification policy

Notification Commitments
In the unlikely event of a data breach that affects your personal information:
  • We will notify affected individuals within 72 hours of becoming aware of the breach (GDPR Article 33 requirement)
  • We will notify the relevant supervisory authority within 72 hours where required
  • We will notify the California Attorney General if a breach affects more than 500 California residents (CCPA requirement)
  • Notification will include: the nature of the breach, categories of data affected, approximate number of individuals affected, likely consequences, and measures taken to address the breach
  • We will provide ongoing updates as our investigation progresses

16. Cookies

Cookie & tracking policy

Essential Cookies
Session authentication cookies that are strictly necessary for the application to function. These cannot be disabled.
  • Session token (httpOnly, Secure, SameSite=Lax)
  • CSRF protection token
Analytics Cookies
We use Google Tag Manager for anonymous, aggregated usage analytics. These cookies can be declined without affecting functionality.
  • Google Analytics — page views, session duration, feature usage
  • No personal data is included in analytics events
  • IP anonymization is enabled

Questions?

Exercise your rights or get in touch

To exercise any of your data rights under GDPR, CCPA, or to report a security concern, contact us using the information below. We respond to all privacy and security inquiries within 72 hours.

Security issuessecurity@setell.ai
Privacy & data rightsprivacy@setell.ai
General inquirieshello@setell.ai

This security policy is reviewed and updated at least annually, or whenever there are material changes to our security practices.
Last updated: March 27, 2026.