HQ Cortex

Security

Last updated: April 13, 2026

This page describes the security controls materially reflected in the current HQ Cortex product and infrastructure, with clear attribution where protections are provided by our service partners.

Hosting & Encryption

  • HQ Cortex is hosted on managed cloud infrastructure and served over HTTPS.
  • Application data is stored in managed services including PlanetScale and Vercel Blob.
  • Transport encryption, storage encryption, and some network protections are provided in part by our infrastructure partners rather than by custom in-house systems.

Authentication & Access

  • Authentication and session handling are managed by Clerk.
  • Organization access in the app is checked on the server using the active organization context and permission data.
  • Team access can be limited through Clerk organization roles and HQ Cortex permission profiles.

Workspace Separation

  • The application resolves organization context on the server and scopes many reads, writes, uploads, and exports to the current user or organization.
  • Protected procedures also enforce per-resource permissions before allowing sensitive mutations.
  • We describe this as application-level tenant separation backed by server-side organization scoping and permission checks, rather than as a blanket guarantee about every internal path.

AI Features

  • Some AI-assisted features send the content needed for that request to Google Gemini.
  • AI features are user-invoked and are not required for the core workflows in the product.
  • We do not currently describe the production service as using OpenAI or Anthropic because those providers are not part of the shipped integration reflected in this codebase.

Application Controls

  • Many server-side routes use schema validation, authenticated procedures, and server-side permission checks.
  • Rate limits exist for public chat and authenticated tRPC traffic when the configured Upstash Redis service is available.
  • File uploads are validated for ownership, content type, and size before an upload token is issued.

Security Operations

  • We do not represent HQ Cortex itself as SOC 2 certified or as operating a formal enterprise compliance program.
  • We avoid publishing security-process commitments that are broader than our current operating reality.
  • If an issue affects customer data, we investigate it directly and communicate with affected customers as appropriate and as required by law.

Partners & Payments

  • We rely on service providers such as Vercel, PlanetScale, Clerk, Vercel Blob, and Upstash for hosting, storage, identity, and rate-limiting infrastructure.
  • Those providers publish their own security and compliance materials; provider certifications should be understood as provider claims, not as HQ Cortex certifications.
  • If and when billing is enabled, payment collection and card handling will be provided by Stripe or our billing platform rather than stored directly by HQ Cortex.

Security Questions

Security questions and vulnerability reports should be sent through the support or account channel associated with your workspace. We are not currently publishing a separate monitored `security@hqcortex.com` mailbox or a public bug bounty program.

For more about how we handle data, see our Privacy Policy and Terms of Service.