KeystoneIQ Security Overview

This document provides security information for enterprise questionnaires, vendor reviews, and compliance inquiries. KeystoneIQ is the product; Intellibricks Inc. is the operating company.

AI Data Handling

Your CRM data is processed by LLMs solely for brief generation. No customer data is used for model training.

• Data is transmitted to AI model providers via encrypted connections. We do not store prompt/completion logs.
• Under standard API terms with those providers, customer content sent for inference is not used for model training.
• No PII is sent beyond what the user provides (deal notes, competitor context).

Data Protection

Token Encryption

• CRM and integration connection credentials are encrypted at rest using AES-256-GCM.
• Encryption keys are stored separately from the database.
• Keys and tokens are never logged.

Encryption at Rest

• Database: Managed PostgreSQL encrypts data at rest per the hosting provider’s standards.

Encryption in Transit

• All API traffic uses TLS 1.2+ (HTTPS).
• Database connections use SSL.

Access Controls

Authentication

• Email/password: Managed authentication with bcrypt password hashing.
• Sign-in: Email/password; Google and Microsoft account sign-in; enterprise SSO (SAML) on Pro+.
• API keys: Bearer tokens for programmatic access; scoped per workspace.

Role-Based Access Control

KeystoneIQ uses a two-role model: Owner and Member.

• Owners manage workspace settings, integrations, billing, and team membership.
• Members can view briefs, deals, competitors, and trigger data refreshes.
• Integration connections (CRM, analytics) are owner-managed. Per-user tools (Notion, Confluence, cloud storage) are individually managed.

Data Isolation

• All data is scoped to your workspace. Row-Level Security (RLS) in Postgres ensures cross-workspace isolation.
• CRM data within a workspace is visible to all workspace members — designed for collaborative competitive intelligence.

API Access

• API keys: Owner-only creation and revocation. Only workspace owners can create or revoke API keys (Developer in the sidebar; Growth or Pro).
• Credentials: API keys and tokens are never logged. Account export excludes api_key_hash.

Audit Logging

Sensitive operations (ownership transfers, billing changes, member management, integration connections) are logged for compliance review.

• All /api/v1/* requests are logged (workspace_id, method, path, status_code, timestamp).
• Failed auth (401) logged with workspace_id=null.
• Append-only; no credentials in logs. Retention: 90 days minimum.

Rate Limiting

API endpoints are rate-limited to prevent abuse. Sensitive mutations have stricter limits.

• Intelligence: 30/hr; briefs list: 60/hr; get: 100/hr; trigger-deal-brief: 5/hr per workspace.

Data Retention

• User data retained while workspace is active.
• Account export: GET /api/account/export.
• Account deletion: POST /api/account/delete (GDPR right to erasure).

Incident Response

• Report: Security issues: report via your account contact or support@intellibricks.app (Intellibricks Inc.).
• Severity: P1 (data breach, outage), P2 (suspected compromise), P3 (vulnerability report).
• Containment: Revoke exposed API keys; notify affected customers.
• Recovery: Restore from managed database backups if needed.
• GDPR (Art 33/34): Notify affected customers (controllers) without undue delay so they can meet 72-hour supervisory authority notification.
• Errors logged with trace IDs; no tokens or keys in logs.
• Sync failures surfaced in Settings and job queue.

Compliance

• GDPR: Export and delete endpoints; data processing aligned with controller obligations.
• SOC 2: Roadmap item; plan when enterprise pipeline justifies.
• Penetration testing: Documented as annual roadmap item for enterprise.

Infrastructure

• Hosting: Application, API, and background workers run on managed cloud infrastructure with encryption in transit and at rest per provider standards.
• Regions: Configurable; processing is designed for Canada and the United States by default (see your workspace / provider settings).
• Backups: Managed database backups; RTO/RPO follow the database provider’s plan.
• Shared responsibility: Infrastructure controls (physical security, network, portions of platform hardening) sit with our hosting and data-store providers, which maintain industry certifications appropriate to their tier. KeystoneIQ is responsible for application-level controls: access, audit logs, encryption of integration tokens, and incident response.

Subprocessors

We use subprocessors under contract to operate the Service—for example hosting, database and authentication, AI inference, email delivery, and product analytics. They process data only as needed to provide those functions, under written agreements.

We do not publish a vendor-by-vendor stack list in this overview. The authoritative list of subprocessors (names, roles, and updates) is in our Privacy Policy (Section 7), which we maintain for transparency and data processing agreements. For security questionnaires or DPAs, use that section or contact support@intellibricks.app (Intellibricks Inc.).

Related policies (product)

• Privacy Policy — data categories, rights, international transfers (if applicable).
• Terms of Service
• Cookie Policy

Last updated: March 27, 2026