Security at QVA
QVA is an interface, not a data store. This page is the longer version of “Nothing stored. Ever.” — what we mean by that, and what we actually do.
What QVA stores
We store the bare minimum required to operate the product:
- Your account — email, name, OAuth provider, and which organization you belong to.
- Your Quickbase realm and a connection token — the token is encrypted at rest using Google Cloud KMS. The encryption is bound to your user ID (additional authenticated data), so a token can't be decrypted as a different user even if a database were compromised.
- Your schema choices — which Quickbase apps, tables, and fields you've enabled for voice entry. This is configuration, not your records.
- A monthly command count — how many voice writes your org has made this month, for billing.
What QVA does NOT store
- Voice audio. Audio is transcribed in real time and discarded.
- Transcripts. The text we extract from your speech is never written to disk after the request completes.
- Your Quickbase records. Records are read from and written to Quickbase directly. We don't keep copies.
How tokens work
QVA uses your Quickbase user token, not a service account. Two consequences:
- Permissions match yours. If you can't see a record in Quickbase, QVA can't see it through you either. There is no privilege escalation path.
- Audit trails name you. Records you create or edit through QVA show up in Quickbase as created or modified by you, not by a generic “QVA service” account. This is intentional — it preserves your organization's audit trail.
How AI processing works
QVA sends each voice request to Google's Gemini API to extract structured fields. Google's terms for this API model do not use your input for model training. Inputs are processed and returned within the request lifecycle.
If your organization needs LLM processing within your own infrastructure (your VPC, your API keys, your data residency), the Enterprise self-hosted plan supports that — see Pricing.
Subprocessors
| Service | Purpose |
|---|---|
| Google Cloud Run | Application hosting (us-central1). |
| Google Cloud SQL | Database (PostgreSQL). |
| Google Cloud KMS | Token encryption. |
| Google Generative AI (Gemini) | Voice-to-structured-data extraction. |
| Stripe | Subscription billing. |
We don't subcontract your data to third parties beyond this list.
What we don't have (yet)
We're not going to claim certifications we don't have. Today QVA does not have SOC 2, ISO 27001, or HIPAA attestations. If your procurement process requires one of these, the Enterprise self-hosted plan lets you run QVA inside your own already-attested environment.
Reporting a security issue
Email security@tryqva.com. We respond within one business day.