MongoQUI is offline-first by default, cloud-enabled on your terms, and built on a controls list we implement: Argon2id master passwords, TOTP, per-device sessions, AES-256 for shared credentials, and an org-wide audit log.
- Transport
- TLS 1.3
- At rest
- AES-256
- Master key
- Argon2id
- SOC 2
- In progress
Twelve controls.
Every one maps to shipping code.
These are not aspirational. Every entry below corresponds to an auth, encryption or logging path already in production across the desktop app, the cloud control plane and the serverless analytics layer.
Argon2id master password
Local desktop encryption of saved credentials. No cleartext at rest on your machine.
JWT with org-scoped claims
Every API call carries Authorization: Bearer and x-organization-id so cross-org leaks fail at the gateway.
TOTP two-factor auth
Backed by otplib in the auth service. Enrolment and recovery handled inside the app.
Per-device session tokens
Every device tracked in the auth database. Revoke any single device without signing the rest out.
Rate limiting
Per-endpoint rate limiting buckets keep abuse, brute force and runaway automation off our API.
AES-256 shared credentials
Shared connections use an HSM-style ENCRYPTION_KEY split. Team members never see the raw secret.
TLS 1.3 in transit
Edge termination and re-encryption to the analytics layer. No plaintext hops.
Internal service auth
Service-to-service calls carry X-Service-Auth: ${INTERNAL_SERVICE_SECRET}. A leaked user token cannot impersonate the gateway.
Audit log
Every org-scoped action goes through /api/v1/audit-logs: creates, share-links, report runs, permission changes.
Password-protected share links
Bcrypt-hashed passwords, explicit expiry timestamp, instant revoke. In-flight viewer sessions are invalidated.
Action-level gating
Sensitive actions (report export, delete, re-run) require a role check beyond the default viewer token.
CORS allow-list
Explicit origin allowlist enforced. No wildcard origins anywhere in the control plane.
GDPR-ready architecture · Data subject access, export and deletion endpoints exist; DPO requests are routed to privacy@mongoqui.com. A public trust portal at security.mongoqui.com is in progress, expected alongside the SOC 2 close.
Local by default.
Cloud on request.
The exact language we want
quoted in your RFP.
We do not claim certifications we do not hold. Where we have controls but no audit, we say so. Where we are not the right vendor, we say that too.
Every third party
that touches data.
For the DPA readers. Each vendor below processes customer data for a specific purpose and only when the feature they power is in use.
Found something?
Tell us.
Report anything you find, no matter how small, to the address on the right. We operate a 90-day coordinated disclosure window, acknowledge within two business days, and publish a credit on the changelog with your permission once the fix ships.
No active bug bounty programme yet. We offer swag and public credit today and will announce a bounty when we can do it properly. Please do not run disclosure research against app.mongoqui.com or api.mongoqui.com with real customer data. Contact us first so we can spin up an isolated test org.
Answers for
security reviewers.
For a full controls deep-dive or a signed questionnaire, email security@mongoqui.com.
Procurement calling?
Talk to security.
Request a DPA, the current SOC 2 status letter, or a call with the engineers who built the controls above. Real people, real answers. No sales middleware.