Security
Protecting your data is fundamental to everything we build.
Data Encryption
All data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security). Data at rest is encrypted via Azure Storage Service Encryption. Sensitive tokens (e.g. email OAuth tokens) are encrypted using AES-256-GCM before storage.
Authentication
We use OAuth 2.0 for third-party sign-in (Google). Passwords are hashed using bcrypt with per-user salts — we never store plaintext passwords. Session tokens are signed using HS256 JWTs with a server-side secret.
Payment Security
All payment processing is handled by Stripe, a PCI-DSS Level 1 certified provider. We never store, process, or have access to your credit card numbers. Payment data flows directly between your browser and Stripe.
Infrastructure
BrokerIQ is hosted on Microsoft Azure Web Apps in the Australia East region (Sydney). Our PostgreSQL database runs on Azure Database for PostgreSQL with automated backups and geo-redundant storage. All infrastructure is within Australian data centres.
Email Integration Security
Gmail and Outlook integrations use OAuth 2.0 — we never ask for or store your email password. OAuth tokens are encrypted at rest using AES-256-GCM. You can disconnect your email account at any time from your settings, which immediately revokes our access and deletes stored tokens.
Data Retention
Your data is retained for as long as your account is active. If you cancel your subscription, your data is preserved in case you resubscribe. You can request full deletion of your account and all associated data at any time by contacting support@domato.ai.
Responsible Disclosure
If you discover a security vulnerability in BrokerIQ, we appreciate your help in disclosing it to us responsibly. Please email security@domato.ai with details of the vulnerability. We will acknowledge your report within 2 business days and work with you to understand and address the issue.