Security & Data Protection

Last updated March 2026

Campaign Data Isolation

Every Quorum organization operates in a fully isolated data environment. Your message variants, evaluation results, voter panel responses, and strategic suggestions are visible only to members of your organization. No campaign can access another campaign's data — ever.

Isolation is enforced at the database level using Supabase Row-Level Security (RLS) policies. Every table containing user data has organization-scoped access controls that are evaluated on every query. Even our own engineering team accesses production data only through audited admin tooling.

AI Training Policy

Your messages and evaluation results are never used to train AI models. Quorum uses the Anthropic commercial API, which has a contractual zero-retention policy: your data is not stored by Anthropic after the API response is returned, and is never used for model training or improvement.

This means your opposition research, attack vulnerability testing, inoculation messaging, and internal polling strategy remain completely confidential — even from the AI provider.

Encryption

All data in transit is encrypted with TLS 1.2 or higher. All data at rest is encrypted with AES-256 by our infrastructure providers (Supabase and Vercel). Database backups are encrypted using the same standard.

Access Controls

Quorum uses a role-based access control system with four organization roles: Owner, Admin, Member, and Viewer. Only Owners can manage billing, invite new members, or delete the organization. Members can create and run evaluations. Viewers can see results but cannot modify data or run evaluations.

Platform-level roles (used only by Euda staff) are separate from organization roles and are used exclusively for customer support and system administration.

Infrastructure

Quorum does not operate its own servers. All infrastructure runs on SOC 2-compliant cloud providers with enterprise-grade physical and network security.

Data Retention & Deletion

Evaluation results and message content are retained for as long as your subscription is active. When you delete a study, all associated evaluation data is permanently removed. When an organization is deleted, all data is cascaded and permanently removed within 30 days.

Voter panel personas (AI-generated demographic profiles based on public census data) are shared infrastructure — they contain no campaign-specific information and are not deleted when individual organizations are removed.

Prompt Injection Defense

All user-submitted message content is sandboxed before being sent to the AI evaluation engine. Quorum uses XML isolation and pattern detection to prevent prompt injection attacks that could manipulate evaluation scores or extract system information.

Contact

For security questions, vulnerability reports, or data requests, contact us at security@euda.io.