Trust Model

Trust & Security

QuickBrief is built for regulator-facing sanctions-change workflows. This page describes what data is stored, how evidence is scoped, and what the product does not claim to do.

Global ingestion, org-scoped evidence

Source snapshots are fetched once per environment. Baselines, review decisions, watchlists, and evidence events stay organization-scoped.

Deterministic matching only

Watchlist screening uses normalized exact-name hash matching. QuickBrief does not run fuzzy matching or customer risk scoring.

Evidence-first audit trail

Customer-visible audit trail contains compliance evidence events only: baseline set, source updates, brief generation, review decisions, watchlist actions, and exports.

Scoped access controls

Users authenticate through Clerk. Data access is enforced per organization in API routes and database queries.

Data Stored

  • Account and organization metadata (users, org settings, subscription state)
  • Source snapshots and source health state
  • Organization source baselines and source configuration pointers
  • Diff summaries, briefs, review decisions, and evidence events
  • Watchlist uploads, entities, import-job status, and screen results

Not Stored or Provided

  • Full payment card numbers (handled by Stripe)
  • Bank transaction monitoring data
  • Fuzzy name-match scores or probabilistic risk scores

Retention and Access

QuickBrief keeps operational and evidence data while an account is active. There is no automatic short-term deletion window configured today. Access is limited to authorized users in each organization; support access is controlled and audited.

Third-Party Services

  • Clerk (authentication and organization identity)
  • Stripe (checkout, subscriptions, and billing state)
  • Railway/Neon Postgres (application data storage by environment)
  • Cloudflare R2 (snapshot and watchlist import object storage)
  • Resend (transactional and alert email delivery)

Email Delivery Expectation

Alert and workflow emails are best-effort. Delivery can be delayed or blocked by recipient filtering, provider outages, or domain policies. The in-product audit trail remains the primary evidence record.

Coverage Determination

Source coverage in the product is driven by source health and capabilities. Pages consume the normalized coverage endpoint and degrade gracefully when a capability check fails. Search and dashboard functions continue for synced sources.

Questions about security, data processing, or evidence controls?

Contact securityPrivacy policy