Skip to main content

Compliance

Compliance for Qefro buyers usually means answering questionnaires (security, privacy, AI), signing a DPA where required, and mapping product controls to frameworks. This page stays factual: shipped controls versus roadmap items.

Short definition (citation-ready)

Qefro provides multi-tenant SaaS controls (isolation, encryption of tool secrets, logging, webhook verification) suitable as inputs to customer compliance programs. Formal certifications such as SOC 2 Type II are tracked on a roadmap — confirm current status with Sales.

Use Qefro controls in your program

Your needMap to Qefro
Customer data segregationTenant Isolation
Least privilege for staff AIRBAC, Employee AI
AI tool riskAI Agent Security, Secrets
Evidence of admin/tool activityAudit Logs
Subprocessor / hosting questionsContact Sales for current list
Privacy policy / termsPrivacy, Terms

Implemented technical controls (summary)

  • Organization (tenant) isolation on API and data access paths
  • Workspace-scoped knowledge and Business Tools
  • Encrypted Business Tool credentials
  • SSRF-aware egress for tools and related webhooks
  • Optional end-user identity forwarding via widget identify()
  • Organization audit logs and tool execution logs
  • Authentication abuse rate limiting
  • Razorpay webhook signature verification for billing events

Full narrative: Security Overview.

Roadmap / Enterprise discussions

TopicNotes
SOC 2 Type IIRoadmap — request timeline from Sales
SSO / SAMLEnterprise discussions
Private / VPC-style deploySee Deployment; Enterprise packaging
Custom DPA / SCCsAvailable through Sales for qualifying plans

Vendor review workflow

Complete a customer security review

  1. Share this Security sectionOverview, isolation, secrets, audit, compliance.
  2. Pilot with non-production dataUse a staging organization when possible.
  3. Define data classesWhat may enter knowledge vs tools vs transcripts.
  4. Request DPA / subprocessorsVia Sales or [email protected].
  5. Re-check after enabling toolsActions change the threat model vs RAG-only.

Shared responsibility

QefroCustomer
Platform isolation and control plane securityWhich documents you upload
Encrypting stored tool secretsScoping keys you issue to Qefro
Logging admin and tool executionsReviewing logs; rotating keys
Channel/webhook verification mechanismsCorrect Meta / domain configuration
Honest status of certificationsYour internal risk acceptance

FAQ

Where is data hosted?
Confirm the current hosting regions and subprocessors with Sales — infrastructure details can change and should not be frozen only in docs.
Can I use Qefro with regulated data?
Many teams start with non-regulated FAQs. For regulated workloads, complete a security review, DPA, and workspace/tool design with your counsel.
Does Qefro train foundation models on my data?
Product intent is to use your data to power your tenant’s assistants, not to train public foundation models on customer content. Confirm contractual language in your agreement / DPA.