Security

Last updated: April 22, 2026

QuoteDrop handles job photos, customer contact details, and payment flows for contractors. This page describes how we protect that data and how security researchers can report issues.

Transport & storage encryption

All traffic to QuoteDrop is served over TLS 1.2+ with HSTS (max-age=63072000; includeSubDomains; preload). HTTP is redirected to HTTPS at the edge. Data at rest — the Postgres database and photo bucket — is encrypted with AES-256 via Supabase's managed infrastructure on AWS.

Authorization & isolation

Every row in the database is scoped by Supabase Row-Level Security policies that verify the authenticated user owns the resource. A contractor cannot see or modify another contractor's estimates, customers, or pricing profile. Public share links use a 256-bit random token and are enforced by a separate read-only policy that matches only by token — no enumeration is possible.

Payments

All card data is processed by Stripe, Inc. under PCI DSS Level 1. QuoteDrop never sees, stores, or transmits raw card numbers. For contractor payouts we use Stripe Connect — funds route directly to the contractor's Stripe account, never through ours.

AI processing

Photos and notes are sent to Anthropic's API under a zero-data- retention agreement. Anthropic does not train its models on QuoteDrop data and does not retain it beyond the immediate request. Generated line items are validated server-side against the contractor's configured labor rate and market-floor benchmarks before returning to the client.

Application hardening

We ship with a restrictive Content Security Policy, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin, and an allowlist-style Permissions-Policy that disables microphone access and scopes camera, geolocation, and payment requests to first-party code. The Next.js X-Powered-By header is stripped. Supabase security advisors run against the production database on every deploy.

Account security

Passwords are hashed with bcrypt via Supabase Auth. We support passwordless magic links, OAuth (Google, Apple), and optional Turnstile CAPTCHA on signup to deter automated abuse. Production access to the database is restricted to two-factor-authenticated personnel.

Audit logging

Every estimate carries an immutable audit trail: created, sent, viewed, signed, approved, declined, and paid events are each timestamped with IP and user agent. Share-link signatures additionally capture the signer's printed name. Audit logs are retained for one year.

Sub-processors

We use Vercel (compute + edge), Supabase (database, auth, storage), Stripe (payments), Anthropic (AI), Twilio (SMS), and Cloudflare (CDN, Turnstile). A current sub-processor list is available in our Privacy Policy.

Coordinated vulnerability disclosure

If you believe you've found a security issue, please email security@jobestimate.app. Include reproduction steps and any proof-of-concept you have. We will acknowledge within 24 hours and keep you informed through remediation.

Please do not:

• Publicly disclose the issue before we've had a chance to fix it.
• Access, modify, or exfiltrate data that is not yours.
• Test against production user accounts other than your own.
• Run denial-of-service or automated scanning tools against our infrastructure.

We welcome researchers acting in good faith under these guidelines and will not pursue legal action for compliant testing.

PGP key

For encrypted disclosure, request our current PGP key at security@jobestimate.app.