Docs / Policies / Data & Security

Data & Security

How QuickContract keeps your data safe.

QuickContract is designed so that your sensitive data — contracts, meeting transcripts, business information — stays on your machine by default. This page details the specific security measures in place at every layer of the application.

Local-first architecture

QuickContract is a native desktop application, not a web app. All core data is stored in a local SQLite database on your Mac. There is no central server that holds your contracts or meeting data. This means:

  • Your data is available offline at all times
  • No server breach can expose your contracts
  • You have complete control over your data's lifecycle
  • Deleting the app and its data from your Mac permanently removes it

Network access is only required for AI features that use cloud providers, license activation, and Team collaboration features.

API key storage

Your AI provider API keys are stored using Tauri Stronghold, which leverages the macOS Keychain for secure credential storage. The macOS Keychain is a hardware-backed, encrypted credential store managed by the operating system. Your API keys are:

  • Encrypted at rest by the macOS Keychain
  • Never written to the SQLite database or any plain-text file
  • Never transmitted to QuickContract servers
  • Only accessible to the QuickContract application process
  • Not included in database backups

If you uninstall QuickContract, your API keys remain in the Keychain until you manually remove them or use the Keychain Access app to delete them.

Database encryption

The local SQLite database is stored within the application's data directory on your Mac's file system. While the database file itself is a standard SQLite file, it is protected by macOS's built-in security layers:

  • FileVault: If you have FileVault enabled (recommended), your entire disk is encrypted with XTS-AES-128. This means the QuickContract database is encrypted at rest along with all other files on your Mac.
  • App Sandbox: QuickContract runs within a macOS app sandbox, restricting file system access to its own data directory. Other applications cannot read QuickContract's database.
  • Gatekeeper & notarization: QuickContract is signed and notarized by Apple, verifying its integrity and ensuring it has not been tampered with.
Tip

To verify FileVault is enabled on your Mac, go to System Settings > Privacy & Security > FileVault. We strongly recommend keeping FileVault on for maximum data protection.

No telemetry

QuickContract does not include any analytics frameworks, usage tracking, or behavioral telemetry. We do not track:

  • Which features you use or how often
  • What contracts you create or their content
  • Which AI models or providers you select
  • Your meeting schedules, participants, or transcript content
  • Your browsing or navigation patterns within the app

The only network requests QuickContract makes are: AI provider API calls (initiated by you), license validation checks, Team sync operations (if enabled), and optional crash reports.

Team security

For users on the Team plan, shared workspace data is stored in Supabase (a PostgreSQL-based cloud platform). Security measures include:

  • Row-level security (RLS): Every database query is scoped to the authenticated user's workspace memberships. Users cannot access data from workspaces they are not members of, even by crafting direct API requests.
  • Encryption in transit: All connections between QuickContract and Supabase use TLS 1.2+.
  • Encryption at rest: Supabase encrypts all stored data at rest using AES-256.
  • Authentication: Team accounts use email-based authentication with hashed passwords (bcrypt). Session tokens are short-lived and automatically refreshed.

E-signature security

When you send a contract for electronic signature, QuickContract creates an audit trail that records:

  • When the signature request was sent
  • When the document was viewed by each party
  • When each party signed, along with their IP address and timestamp
  • A cryptographic hash of the signed document to detect any post-signature tampering

For solo users, the audit trail is stored locally. For Team users, it is also stored in Supabase so that all workspace members can verify signature status. The signed document's hash ensures that any modification to the contract after signing is detectable.

Offline mode

When you use Ollama as your AI provider, QuickContract operates with zero network dependency for AI features. Audio transcription via Whisper already runs locally. Combined with Ollama for contract generation and analysis, this means:

Zero data leaves your machine

With Ollama and local Whisper transcription, no contract text, meeting audio, transcript data, or any other content is sent over the network. Every computation happens on your Mac. This is the highest-privacy configuration available and is suitable for organizations with strict data sovereignty requirements.

Even in offline mode, you can still generate contracts, analyze documents, use the Legal Advisor, record and transcribe meetings, and manage your entire contract workflow — all without an internet connection.

Reporting vulnerabilities

If you discover a security vulnerability in QuickContract, please report it responsibly. Contact us at security@quickcontract.app with a description of the issue, steps to reproduce, and any relevant details. We take all reports seriously and will respond within 48 hours.

Please do not disclose vulnerabilities publicly until we have had an opportunity to investigate and release a fix. We appreciate the security research community's efforts in helping keep QuickContract safe.

Previous
Terms of Service