Security at LinkQuill

We've published this page so your security team doesn't need to file a questionnaire to evaluate us. If something here is unclear or incomplete, email security@linkquill.net.

Technical controls

Encryption at rest + in transit

All data is encrypted in transit via TLS 1.3. Neon (Postgres) encrypts every row at rest with AES-256. OAuth tokens for brand-owned PayPal connections are envelope-encrypted with per-installation keys before they touch the database.

SSRF defense on every outbound webhook

Brand-configured webhook URLs are validated against an RFC1918 / loopback / link-local / IPv6 ULA / AWS-metadata reject set both at the WRITE boundary AND at every DELIVERY — defending against DNS rebinding between write and send. Non-http(s) schemes and userinfo are rejected at the API.

OAuth state nonces

Every Shopify, Square, and PayPal connect flow mints a one-shot Redis-stored nonce; the callback validates and atomically consumes it via GETDEL. Replay-resistant by construction.

Signed-identifier webhook brandId

Inbound webhooks (Shopify, Wix, Squarespace, PayPal) resolve the owning brandId from a HMAC-signed body field, not from a query parameter or path segment — so a stolen webhook URL cannot deliver events to a different tenant.

CSP with nonce-gated style + script

Production responses carry a strict Content-Security-Policy with nonce-gated `style-src` and `script-src` — eliminating inline-style XSS amplification vectors that hit other platforms.

Audit logging on every state change

Every brand / program / payout / membership mutation writes to the `audit_log` table via the `safeAuditEntry` helper. Audit failures never silently swallow the originating change — they surface as `logger.warn` events with action + entity context.

Sub-processors

The services we use to operate LinkQuill. We will provide 30-day notice via the changelog and any data-processing-agreement signatories by email before adding a new sub-processor.

Sub-processor	Purpose	Region
Vercel	Application hosting + Edge compute	US (iad1)
Neon	PostgreSQL 17 — primary application DB	US-East
Upstash	Redis (rate limits, OAuth state, dedupe)	US-East
Stripe	Connect payouts + billing	Global (Stripe-managed)
PayPal	Brand-owned payout rail (OAuth tokens, no money holding)	Global
Firebase Auth	Authentication / identity	US
Sentry	Error monitoring + observability	US
Resend	Transactional + broadcast email	US
Anthropic	AI-assisted brand onboarding (Claude API)	US

GDPR + CCPA

LinkQuill processes personal data on behalf of our brand customers (controllers). Our Data Processing Agreement is available as a downloadable PDF and applies to every paid plan by default. Our Privacy Policy covers the full data-collection picture for end users (affiliates + visitors).

For CCPA / CPRA inquiries, see our Your Privacy Choices page. LinkQuill does not sell or share personal information for cross-context behavioral advertising.

We host application data primarily in the United States (US-East). EU brand customers who require EU-resident processing should contact us — we can route on a per-customer basis via Neon's EU region.

Vulnerability disclosure

If you believe you've found a security issue in LinkQuill, please report it to security@linkquill.net. We aim to acknowledge within one business day and ship a fix on a severity-driven timeline.

Safe harbor: we will not pursue legal action against good-faith researchers who report vulnerabilities through this channel, avoid degrading our service, and refrain from accessing data beyond what is necessary to demonstrate the issue. See SECURITY.md for the full policy.