Culture & Security Principles
How we design, build and run QES – and what you can hold us accountable to.
Culture principles
Integrity over convenience
We don't ship features that undermine our promises. No hidden decryption paths, no quiet changes to key handling, no backdoors.
Assume breach
We design for compromise of identities, devices and platforms. If those fail, QES should still keep data encrypted.
Stateless by design
Our backend should never be a single point of decryption. It handles licensing, telemetry and updates – not plaintext or keys.
User empathy
Security must work for people under pressure. We design for realistic workflows, not idealised security experts.
Privacy & sovereignty by default
We minimise data collection, respect data-location requirements and align with local regulatory obligations.
Long-term trust
We avoid business models that depend on exploiting customer data. We would rather walk away from a deal than weaken core guarantees.
Security principles
1
2
3
4
5
6
7
Client-side encryption, end-to-end.
All encryption and decryption happen on customer devices. Our servers do not need your plaintext or keys.
No access to customer plaintext.
We design systems and support processes on the assumption that we cannot see your data.
Minimal metadata and retention.
We minimise collection and retention of metadata, and protect what we must keep.
Defence in depth.
We layer controls across endpoints, network, identity and infrastructure.
Secure-by-default configurations.
Defaults are secure, not permissive. Misconfiguration should be harder, not easier.
Transparent design and documentation.
We document cryptographic choices, threat models and limitations.
Continuous improvement.
We adapt to new threats and research, and iterate on both product and operations.
Security contact
If you are a customer, partner or security researcher and you believe you have found a security issue or an area for improvement, we want to hear from you.
Email: security@qes.example
Responsible disclosure
This is a placeholder for our full responsible disclosure policy and PGP key. Until then, please contact us via the email address above and we will coordinate a secure channel.