Skip to main content
by Nomadyr
DE Join the Waitlist
Menu
Currently in Alpha
Join the Waitlist for more »
Security & data protection

We only access what we functionally need.

Your data is stored in the EU (Frankfurt), encrypted at rest and in transit, isolated from every other customer.

Our approach

QuoteXelerator identifies which deal to attach line items to, reads owners for recipe assignment, and reads or writes line items. That is the complete extent of our HubSpot access. We never touch contacts, companies, emails, tickets, or conversations. Your quote data is processed in real time and not retained beyond what audit logging requires. Sensitive credentials are encrypted with per-portal derived keys. We can't read them in plaintext.

Infrastructure

Platform
  • EU-only serverless + managed DB
  • SOC 2 Type 2 certified providers
  • Region: Frankfurt
Encryption
  • TLS in transit
  • AES-256 at rest
  • Per-portal key derivation for sensitive fields
Data Residency
  • Application data we control stored in EU (Frankfurt)
  • Line items live in your HubSpot portal — HubSpot data flow, not specific to us
  • Email delivery via Resend (EU servers in Ireland)
Credential Security
  • No readable tokens stored
  • No plaintext credentials
  • Complete tenant isolation

HubSpot permissions

During installation, we only request the permissions that are functionally required for the app to operate. Authentication is handled via OAuth 2.0 with the following minimum scopes:

crm.objects.deals.read
Identify which deal to attach generated line items to
crm.objects.line_items.write
Create and update deal line items from processed quotes
crm.objects.line_items.read
Read existing line items for change detection and audit
crm.schemas.line_items.read
Read line item property definitions for field mapping
crm.objects.owners.read
Identify deal owners for recipe assignment
That is everything. We do not access contacts, companies, emails, tickets, conversations, or any other HubSpot data.

Data handling

Processing: Quote data is processed in real time.
Audit logs: Retained with your subscription for compliance purposes.
Data isolation: Your data is completely isolated at the database level. Sensitive credentials and snapshots are encrypted at the application layer with portal-scoped key derivation.
Cancellation: On explicit termination, all customer data is deleted within 90 days.
No data resale: We never sell your data, and we never use it for purposes beyond delivering the service you subscribed to. The subprocessors below only access what they need to operate.

Compliance

DSGVO / GDPR
Fully compliant with the EU General Data Protection Regulation. Data subject rights (Art. 15–22) supported. Technical and organizational measures per Art. 32 GDPR are documented in our TOM.
AVV / DPA
Read the full Data Processing Agreement (DPA) or the German legally binding Auftragsverarbeitungsvertrag (AVV) per Art. 28 GDPR. Countersigned copy on request: legal@quotexelerator.com.
SOC 2 Infrastructure
Every subprocessor that handles customer data — Supabase, Vercel, HubSpot, Resend, and Stripe — maintains an independent SOC 2 Type 2 attestation. Stripe additionally holds PCI DSS Level 1.
EU Data Residency
Application data we control is stored in the EU (Frankfurt). Line items live in your HubSpot portal — that is HubSpot's standard data flow for every HubSpot app, not specific to us.

Subprocessors

We notify customers at least 30 days before adding a new subprocessor.

Service · Purpose Location
Supabase
Database & auth
Frankfurt, EU
Vercel
Hosting & functions
Frankfurt, EU
Stripe
Payment processing
Dublin, IE
HubSpot
CRM integration
US (EU SCCs)
Resend
Transactional email
US (EU servers in Ireland)

Interested in learning more?
Join the waitlist to stay informed on product updates and the latest features.

Join the Waitlist »

Read the full Data Processing Agreement or the Technical and Organizational Measures (TOM). For a countersigned copy or further questions, reach out at legal@quotexelerator.com.