[security.protocols]

Last updated: October 2024

Security Philosophy

Quilon is built with security and privacy as core principles. We believe your data is your own, and we should never have access to it—even if we wanted to. This document outlines how we achieve this.

End-to-End Encryption

Encryption Algorithm

Quilon uses AES-256-CBC (Advanced Encryption Standard with 256-bit keys in Cipher Block Chaining mode) for all data encryption. This is the same encryption standard used by governments and financial institutions.

Encryption Location

All encryption happens on your device before any data leaves it. The encryption keys are generated and stored locally on your devices only. Quilon servers never have access to unencrypted data or encryption keys.

Key Management

  • Encryption keys are derived from your account password using PBKDF2
  • Keys are never stored in plaintext
  • Keys are never transmitted to Quilon servers
  • Each device generates its own keys—they're not synced
  • Changing your password regenerates your encryption keys

Zero-Knowledge Architecture

Zero-knowledge means Quilon cannot access, read, or decrypt your clipboard data. Here's how it works:

Data Flow

  1. On Your Device: Clipboard content is encrypted with AES-256 using your unique key
  2. In Transit: Encrypted data is transmitted to Quilon servers over TLS 1.3 (SSL/HTTPS)
  3. On Our Servers: Encrypted data is relayed in real-time to your other devices
  4. Storage: Data is NOT stored on Quilon servers—only relayed and immediately discarded
  5. On Recipient Device: Only your device can decrypt the data using your encryption key

What Quilon Can See

Quilon servers can observe:

  • Your email address (for authentication)
  • Device identifiers (to route encrypted data)
  • Connection timestamps (for analytics)
  • Encrypted data (which is unreadable)

Quilon cannot see: Your clipboard content, file contents, passwords, or any plaintext data.

Data Storage Policy

Quilon implements a relay-only architecture - we do not store your clipboard data at all.

What We Don't Store

  • Clipboard history (each sync creates new data, old data is discarded)
  • Screenshots or files (encrypted and relayed only)
  • Any plaintext user content

What We Do Store

  • Account information (email, hashed password)
  • Device list (to route encrypted data)
  • Subscription information
  • Anonymized analytics

Benefit of Our Architecture

Even if Quilon's servers were breached or seized, attackers would only find encrypted, meaningless data that cannot be decrypted without your unique encryption keys (which are on your device, not our servers).

Authentication Security

Password Hashing

Passwords are hashed using bcrypt with a cost factor of 12. We never store plaintext passwords.

Session Management

  • Sessions use secure, httpOnly cookies
  • Sessions expire after 30 days of inactivity
  • CSRF tokens protect against cross-site attacks

Two-Factor Authentication (Planned)

Two-factor authentication (2FA) is coming soon. When enabled, attackers cannot access your account even with your password.

Network Security

HTTPS/TLS

  • All data in transit is encrypted with TLS 1.3
  • Quilon uses strict HTTPS enforcement (HSTS)
  • Mixed HTTP/HTTPS content is not allowed

API Security

  • APIs require authentication tokens
  • Rate limiting prevents brute force attacks
  • Input validation prevents injection attacks

DDoS Protection

Quilon uses industry-standard DDoS protection to ensure service availability. We work with leading security providers to mitigate attacks.

Infrastructure Security

Cloud Infrastructure

  • Servers run on secure, isolated cloud infrastructure
  • Regular automated security patches
  • Firewall rules limit network access

Access Control

  • Only authorized team members can access production systems
  • Multi-factor authentication required for admin access
  • All server access is logged and audited

Database Security

  • Databases are encrypted at rest
  • Database backups are encrypted and stored securely
  • Database access is restricted and logged

Third-Party Security

Dependency Management

  • Regular dependency audits for known vulnerabilities
  • Automated security updates
  • Minimal dependencies to reduce attack surface

Payment Processing

  • Payment processing handled by Stripe (PCI DSS Level 1 certified)
  • We never see credit card information
  • Stripe tokens are securely stored

Vulnerability Disclosure

Responsible Disclosure Policy

If you discover a security vulnerability in Quilon, please report it responsibly to security@quilon.dev.

Reporting Guidelines

  • Don't: Post vulnerabilities publicly or in issues/comments
  • Do: Email detailed information to security@quilon.dev
  • Do: Allow us 90 days to fix and release a patch before public disclosure

Security Researcher Program

We appreciate security researchers who help us improve Quilon. We recognize and credit researchers who report vulnerabilities responsibly. Contact us about our researcher program.

Security Best Practices for Users

To maximize your security, we recommend:

  • Use a strong, unique password for your Quilon account
  • Never share your password with anyone
  • Enable two-factor authentication when available
  • Keep your devices and OS updated with security patches
  • Use Quilon on trusted devices only
  • Log out of Quilon on shared computers
  • Report suspicious activity immediately

Security Audits

Quilon is committed to third-party security audits. We periodically conduct independent security audits and penetration testing. Audit reports are available upon request for enterprise customers.

Contact Us

For security concerns or questions, please contact:

Email: security@quilon.dev

Website: quilon.dev