PROTOQUIZ
Home Agencies Terms Privacy DPA
TRUST & SECURITY

How we protect your data

Last reviewed: 2026-05-20 Operator: Teach Me to Live LLC, d/b/a ProtoQuiz
Short version: TLS in transit, AES-256 at rest, per-organization tenant isolation enforced at the database layer, daily backups, 72-hour breach notification commitment, and a published subprocessor list. Long version below. The contractual versions live in the Data Processing Addendum.

1. Security at a glance

Encryption in transit
TLS 1.2 or higher for every connection. HSTS preloaded.
Encryption at rest
AES-256 (or equivalent) via Google Cloud and Vercel storage.
Tenant isolation
Firestore security rules enforce per-organization data isolation. Cross-tenant queries denied at the database layer.
Access control
Role-based access for personnel. MFA required for production. Quarterly access reviews.
Backups
Daily automated backups, 30-day retention. Restoration tested annually.
Patching
Critical patches within 7 days; high-severity within 30 days.
Audit logging
Administrative actions and security events retained at least 90 days.
Network protection
Cloudflare edge for DDoS and WAF. Backend services require authenticated APIs.
Service level
99.5% monthly uptime target with tiered service credits as contractual remedy. Live status: status.protoquiz.com.

2. What we store, and what we don't

We store

We do not store

3. Subprocessors

We use the following third-party services to operate the Platform. Each is bound by a written agreement requiring at least the same data-protection posture stated here.

SubprocessorPurposeRegion
Google Cloud / FirebaseAuth, database (Firestore), file storage, hostingUnited States
Vercel, Inc.Backend APIs and billing infrastructureUnited States
Cloudflare, Inc.DNS, edge protection, email routingGlobal
Stripe, Inc.Payment processing, invoicing, ACH collection (PCI-DSS Level 1)United States
Brevo (Sendinblue SAS)Transactional email deliveryEU / US
Discord, Inc.Internal operational alerts (minimized event data)United States
Google AI / Vertex AI (Gemini)LLM content generation from Customer-uploaded protocols. No-training contract.United States
Documenso, Inc.Master Services Agreement and Order Form e-signature workflow. Customer signing-contact email + signature image processed.United States

Customers receive at least 30 days' notice before any new subprocessor begins processing Customer data. The contractual notice mechanism is described in DPA §4.2.

4. AI use

ProtoQuiz uses third-party LLM services (currently Google Gemini / Vertex AI) to generate quiz questions, scenarios, and drug-comparison content from Customer-uploaded protocol PDFs. We send only the protocol content needed to generate the requested output. We do not send User personal information (email, name, photo) to LLM providers. The provider's terms prohibit training their foundation models on submitted Customer content.

5. Incident response

If we become aware of a confirmed Security Incident affecting Customer Personal Data, we will notify the affected Customer's designated contact within 72 hours, with the information then available: nature of the incident, affected data categories and approximate scope, likely consequences, and measures taken or proposed. We will continue to coordinate as the investigation progresses. This commitment is contractual under DPA §6.

Vulnerability reports: send to [email protected]. We respond promptly and do not pursue good-faith security researchers acting within standard responsible-disclosure norms.

6. Data export & deletion

Customers can request a machine-readable export (CSV or JSON) of their data at any time during the subscription, or for 90 days following termination. After 90 days post-termination, Customer data is deleted from production systems; backup snapshots are purged within an additional 30 days, subject to legal retention requirements (e.g., financial records).

7. Compliance posture

We are early-stage and do not yet hold formal third-party certifications (SOC 2, ISO 27001). We are happy to share our completed Vendor Security Questionnaire (SIG Lite / CAIQ-Lite), discuss controls in detail, or work toward a security questionnaire your procurement team prefers. Contact [email protected].

We are not a HIPAA Business Associate; the Platform is not designed to process PHI. CCPA, GDPR, and UK DPA-aligned commitments are in the DPA. Standard Contractual Clauses are available where required for cross-border transfers.

8. How to reach us

Teach Me to Live LLC, d/b/a ProtoQuiz
1500 N Grant St #10764, Denver, CO 80203
(720) 441-2532