Security at Quill Ledger

Your trust and the security of your data are core priorities at Arclay Group Ltd. This page describes the measures we take to protect your information and the integrity of the Quill Ledger platform.

1. Data Encryption

1.1 At Rest

All sensitive information, including broker API keys and secrets, is encrypted at rest using industry-standard AES-256 encryption. Encryption keys are managed securely as environment secrets and are never stored in plaintext within the database.

1.2 In Transit

All data transmitted between your device and our servers is protected using Transport Layer Security (TLS 1.2 or higher), helping to prevent eavesdropping and tampering.

2. Password and Account Security

We never store your password in plaintext. When you create or change your password, it is salted and hashed using the bcrypt algorithm. This one-way process means your original password cannot be retrieved, even by us.

We encourage you to use a strong, unique password for your Quill Ledger account and to avoid reusing passwords you use elsewhere.

3. Infrastructure and Access Control

Quill Ledger is hosted on Render, a modern cloud provider that follows robust security practices and industry standards. We employ:

  • Network segmentation and firewalls to protect internal systems;
  • Least-privilege access principles for internal tools and data;
  • Restricted access to production systems to a limited number of authorised personnel;
  • Logging and monitoring of key events to help detect unusual activity.

4. AI Data Handling

Our AI features rely on OpenAI's API to generate insights and explanations. We use a zero-retention configuration so that OpenAI does not store or use your data to train their models. Only the minimal necessary context (for example, summary portfolio data or user preferences) is sent to the model to generate responses.

The AI cannot directly execute actions on your account or access your credentials. It operates purely as an insight and explanation layer.

5. Payment Security

All subscription payments are processed by Stripe, a PCI DSS Level 1 certified payment processor. Your full payment card information is handled directly by Stripe and is not stored on Quill Ledger's servers.

6. Backups and Resilience

We perform periodic backups of our databases to protect against accidental data loss and corruption. Backups are encrypted and stored securely, and are typically retained for up to 30 days before being rotated. We periodically test restoration processes to help ensure we can recover from incidents promptly.

7. Incident Response

In the event of a security incident or suspected data breach, we will:

  • Investigate and contain the incident as quickly as possible;
  • Assess the impact on user data;
  • Notify affected users without undue delay where there is a risk to their rights and freedoms;
  • Notify the relevant supervisory authority (such as the ICO) where required by law, typically within 72 hours;
  • Implement remediation steps to prevent similar incidents in future.

8. Your Responsibilities

Security is a shared responsibility. To help protect your account, we recommend that you:

  • Use a strong, unique password that you do not reuse elsewhere;
  • Keep your device and browser up to date;
  • Be cautious of phishing attempts and verify the authenticity of emails claiming to be from Quill Ledger;
  • Use read-only permissions for broker API keys where possible;
  • Log out of your account on shared devices.

9. Responsible Disclosure

If you believe you have found a security vulnerability in Quill Ledger, we encourage you to report it responsibly. Please contact us at security@quillledger.com with a description of the issue, steps to reproduce, and any relevant technical details. We will investigate promptly and appreciate the efforts of the security community in helping keep our users safe.

10. Questions

If you have any questions about these security practices, please contact us at security@quillledger.com.