Security and data handling
This document explains where your data lives, what we can see, and how we protect it. It is written for the person at your company who will ask "is this safe to install?"
The short version
The SideQuest connector runs on your computer (Mac or Windows). Your purchase orders, your QuickBooks catalog, your customer list, and your pricing never leave your computer. We do not have access to any of that data, and we cannot get access to it even if we wanted to.
What we do see, and only this:
- Your license key
- Your contact email and company name (from the signup form)
- A counter that tracks how many POs you processed each month
- The Gmail message IDs of those POs (opaque hash strings, no content)
We use those counters to enforce your monthly tier (free, starter, growth, etc.). That is the only reason we collect them.
Where each piece of data lives
| Data | Where it lives | Can we see it? |
|---|---|---|
| Your customer PO emails | Your Gmail account | No |
| Your QuickBooks catalog | Intuit's servers + a local cache on your computer | No |
| Your QuickBooks customer list | Intuit's servers + a local cache on your computer | No |
| Your pricing | Intuit's servers + a local cache on your computer | No |
| Draft estimates before you submit | Your computer (in ~/.qb-distributor-mcp/) | No |
| Your Gmail OAuth refresh token | Your computer (in ~/.qb-distributor-mcp/credentials/) | No |
| Your QuickBooks OAuth refresh token | Your computer (in ~/.qb-distributor-mcp/credentials/) | No |
| Your license key | Your computer AND our database | Yes (we issued it) |
| Your contact email + company name | Our database | Yes |
| Count of POs processed per month | Our database | Yes (counters only) |
| Gmail message IDs of processed POs | Our database | Yes (opaque, no content) |
The connector is open about this in the code, and you can read every line yourself; the source lives inside the connector folder you install.
How the connection works
When you set up the connector, you grant it OAuth access to your Gmail account and your QuickBooks Online company. The OAuth tokens get stored in encrypted files on your computer. These tokens never leave your machine; they are what the connector uses to read your Gmail and write to your QuickBooks directly.
When the connector processes a PO, here is what happens:
- The connector reads the PO email from your Gmail (your computer → Google).
- The connector matches the PO lines against your QuickBooks catalog (your computer → Intuit).
- The connector writes the draft Estimate to your QuickBooks (your computer → Intuit).
- After you click Submit, the connector reports one tiny event to our control plane:
{"license_key": "...", "kind": "po_processed", "message_id": "<hash>", "lines": 7}. That is the only network call to our servers.
We never see the buyer's email body, the part numbers, the prices, the customer name, or any other content.
How your license key is protected
Your license key is a 22-character random string. We generate it when you sign up and only you and we have it.
- Stored on your computer at
~/.qb-distributor-mcp/.env, with file permissions set so only your user can read it. - Stored on our servers in PostgreSQL, indexed but not encrypted at rest (it is a random token, not a password; if our database is breached the keys are useless without also breaching every customer's individual machine).
- Transmitted in HTTPS request bodies only, never in URLs (so it does not show up in our access logs or HTTP referrer headers).
- Rotatable: if you think yours leaked, email Paul and he generates you a new one in under a minute.
Where our control plane lives
The control plane is a small API service that does two things: validates license keys and counts POs. It runs on:
- Fly.io (San Francisco-based US company, machines hosted in Chicago, Illinois)
- Neon (US company, PostgreSQL database hosted on AWS us-east-1 in Virginia)
- TLS via Let's Encrypt, automatically renewed
All traffic between your computer and our control plane is encrypted with TLS 1.2 or newer. We do not log request bodies on our servers; we log only access timestamps, response codes, and bytes transferred.
How we handle a security incident
If we discover or are notified of a security incident affecting customer data, we will:
- Stop the cause of the incident immediately.
- Notify affected customers within 72 hours via email, with what we know.
- Investigate root cause and publish a post-mortem within 30 days.
- Offer license-key rotation for any customer who wants it.
To report a security issue: email [email protected] with [SECURITY] in the subject line. We acknowledge within 24 hours.
What we deliberately do NOT do
- We do not have a "support backdoor" that lets us read your QuickBooks. We cannot get into your data even if you ask us to.
- We do not sell, share, or rent customer data to third parties. Ever.
- We do not use customer data to train AI models, including handwriting OCR (which sends only the specific page image you opt in to process, directly from your computer to Anthropic's API).
- We do not run cloud-based OCR on your behalf without you knowing. Tesseract runs locally; Claude vision is opt-in and uses your own API key.
- We do not use cookies on this site. The signup form collects only what you type into it.
Frequently asked
Can you delete our data on request? Yes. Email [email protected] and we delete your customer + license + usage rows from our database. We cannot delete the data on your own computer because we do not have access to it; you delete the connector folder yourself (Mac: ~/.qb-distributor-mcp/; Windows: %USERPROFILE%\.qb-distributor-mcp\), which removes the OAuth tokens and local caches.
What happens if our license is canceled? Your local connector keeps working with cached state for 7 days, then refuses to process new POs until you re-license. Your QuickBooks and Gmail are unaffected.
What if SideQuest goes out of business? We will publish the source code under a permissive open-source license. Your installed connector keeps working indefinitely (it has cached license state for 7 days, after which you can remove the license check yourself from the open-source code).
Do you have SOC 2? Not yet. SOC 2 Type I requires about 6 months of audit and we will pursue it once we have the customer base to justify it. The architecture (no customer data on our servers) means SOC 2 mostly covers our control plane, which is intentionally minimal.
Are you HIPAA / GDPR / CCPA / PCI compliant? We do not process protected health information (HIPAA does not apply). We collect only contact info and counters, with deletion-on-request available (GDPR and CCPA compliance). We do not process credit cards directly (Stripe handles all payment data; PCI compliance is on their side).
Contact
Email [email protected] with any security question. Subject lines starting with [SECURITY] get prioritized response within 24 hours.
This document is updated whenever the architecture or our practices change. Check back for the "Last updated" date at the top.