In transit

All data transmitted between your browser and Sqaro's servers is encrypted using TLS 1.2 or higher. This applies to document uploads, API calls, authentication requests, and all other network communication.

At rest

All data stored within Sqaro's infrastructure — including uploaded documents, extracted text, analysis outputs, account records, and workspace data — is encrypted at rest using AES-256 encryption provided by Google Cloud and Firebase infrastructure.

Authentication

Sqaro uses Firebase Authentication to manage user identity and session security. Passwords are never stored in plain text. Authentication tokens are short-lived and scoped to individual sessions.

Role-based access

Every workspace has role-based permissions. Owner, Admin, and Member roles control who can view documents, run analyses, manage billing, invite members, and access firm-level settings. Permissions are enforced at the application and database level.

Firm isolation

Each firm operates in its own isolated workspace. One firm's documents, analyses, and data are never accessible to another firm. Isolation is enforced through Firebase Security Rules applied at the database and storage layer.

Google Cloud & Firebase

Sqaro is built on Google Cloud and Firebase infrastructure. Google Cloud operates under a shared-responsibility model and maintains SOC 2, ISO 27001, and other compliance certifications for its infrastructure services.

Data residency

Sqaro's primary infrastructure operates within Google Cloud's US-based regions. Data may be replicated or processed in other regions as part of Google Cloud's standard infrastructure operations.

Availability

Sqaro relies on Google Cloud's managed infrastructure, which is designed for high availability with built-in redundancy, automatic failover, and disaster recovery capabilities at the infrastructure level.

Document processing

Documents uploaded to Sqaro are processed using Vertex AI, Google Cloud's enterprise AI platform. Document content transmitted for AI analysis is sent over encrypted connections and is not used to train Google's foundation models.

No training on your data

Your documents, prompts, and analysis outputs are never used to train any AI model — by Sqaro or any third party. This applies to all tiers, all plans, and all document types.

Output storage

AI-generated outputs — including summaries, clause extractions, risk flags, and chat responses — are stored as part of your workspace and are subject to the same access controls and encryption as all other workspace data.

Stripe

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Sqaro does not store, process, or transmit full payment card numbers on its own systems. Stripe's infrastructure handles all sensitive payment data.

Billing data

Sqaro stores only limited billing metadata — such as subscription plan, billing status, and invoice history — necessary to manage your account. Full card details remain exclusively within Stripe's environment.

Detection

Sqaro monitors its infrastructure for anomalous activity, unauthorized access attempts, and security events using logging and alerting tools built into Google Cloud and Firebase.

Response

In the event of a confirmed security incident affecting customer data, Sqaro will investigate the incident, contain the issue, assess scope and impact, and notify affected customers as required by law or contract.

Reporting

If you believe you have discovered a security vulnerability in Sqaro, please report it to support@sqaro.co. We take all reports seriously and will respond promptly.

Credentials

You are responsible for keeping your login credentials confidential. Do not share your password with others. Use a strong, unique password for your Sqaro account.

Access management

Firm owners and administrators are responsible for managing user access within their workspace — including adding members, assigning roles, and revoking access when team members leave.

Content

You are responsible for ensuring you have the legal right to upload and process any documents or content submitted to Sqaro. Sqaro does not independently verify the ownership or permissions of uploaded content.