Compliance
Compliance for Qefro buyers usually means answering questionnaires (security, privacy, AI), signing a DPA where required, and mapping product controls to frameworks. This page stays factual: shipped controls versus roadmap items.
Short definition (citation-ready)
Qefro provides multi-tenant SaaS controls (isolation, encryption of tool secrets, logging, webhook verification) suitable as inputs to customer compliance programs. Formal certifications such as SOC 2 Type II are tracked on a roadmap — confirm current status with Sales.
Use Qefro controls in your program
| Your need | Map to Qefro |
|---|---|
| Customer data segregation | Tenant Isolation |
| Least privilege for staff AI | RBAC, Employee AI |
| AI tool risk | AI Agent Security, Secrets |
| Evidence of admin/tool activity | Audit Logs |
| Subprocessor / hosting questions | Contact Sales for current list |
| Privacy policy / terms | Privacy, Terms |
Implemented technical controls (summary)
- Organization (tenant) isolation on API and data access paths
- Workspace-scoped knowledge and Business Tools
- Encrypted Business Tool credentials
- SSRF-aware egress for tools and related webhooks
- Optional end-user identity forwarding via widget
identify() - Organization audit logs and tool execution logs
- Authentication abuse rate limiting
- Razorpay webhook signature verification for billing events
Full narrative: Security Overview.
Roadmap / Enterprise discussions
| Topic | Notes |
|---|---|
| SOC 2 Type II | Roadmap — request timeline from Sales |
| SSO / SAML | Enterprise discussions |
| Private / VPC-style deploy | See Deployment; Enterprise packaging |
| Custom DPA / SCCs | Available through Sales for qualifying plans |
Vendor review workflow
Complete a customer security review
- Share this Security section — Overview, isolation, secrets, audit, compliance.
- Pilot with non-production data — Use a staging organization when possible.
- Define data classes — What may enter knowledge vs tools vs transcripts.
- Request DPA / subprocessors — Via Sales or [email protected].
- Re-check after enabling tools — Actions change the threat model vs RAG-only.
Shared responsibility
| Qefro | Customer |
|---|---|
| Platform isolation and control plane security | Which documents you upload |
| Encrypting stored tool secrets | Scoping keys you issue to Qefro |
| Logging admin and tool executions | Reviewing logs; rotating keys |
| Channel/webhook verification mechanisms | Correct Meta / domain configuration |
| Honest status of certifications | Your internal risk acceptance |
FAQ
Where is data hosted?
Confirm the current hosting regions and subprocessors with Sales — infrastructure details can change and should not be frozen only in docs.
Can I use Qefro with regulated data?
Many teams start with non-regulated FAQs. For regulated workloads, complete a security review, DPA, and workspace/tool design with your counsel.
Does Qefro train foundation models on my data?
Product intent is to use your data to power your tenant’s assistants, not to train public foundation models on customer content. Confirm contractual language in your agreement / DPA.