Data Handling
What QualityOS stores, what it immediately discards, and how every piece of retained data is protected.
The most important thing to know
QualityOS does not store call transcripts or audio recordings. They are processed in memory for AI analysis and immediately discarded. The only data retained is the structured scorecard output — scores, evidence quotes, and coaching notes.
Data inventory
Call transcripts
Sent to Groq for inference in memory, immediately discarded after analysis.
Not stored
0 days
Audio recordings
Streamed to Groq Whisper for transcription, never written to disk or any database.
Not stored
0 days
QA scorecards
Structured scorecard JSON: parameter scores, verdict, coaching notes. Scoped to your org_id.
Supabase (PostgreSQL)
Account lifetime + 90 days
Knowledge Base documents
PDF/DOCX/TXT/MD files and their embedding chunks. Accessible only to your organisation.
Supabase Storage
Until deleted by admin
Agent and team data
Agent names, team codes, and seat assignments. No PII beyond names you enter.
Supabase (PostgreSQL)
Account lifetime + 90 days
Authentication
Passwords and OAuth tokens managed entirely by Clerk. QualityOS receives only a user ID.
Clerk (external)
Per Clerk policy
Payment information
Card numbers held by Dodo Payments. QualityOS stores only subscription status and tier.
Dodo Payments (external)
Per Dodo Payments policy
Encryption
In transit
All traffic over TLS 1.2+. HTTPS enforced across all endpoints. HTTP requests are permanently redirected to HTTPS.
At rest
Supabase storage encrypted with AES-256. Database backups retained for 7 days, also encrypted at rest.
Service keys
Supabase service role keys (which bypass row-level policies) are used only in server-side API routes and are never shipped to the browser.
Org isolation
Every piece of data is scoped to an org_id. This is enforced at the API route level on every request — a user in Organisation A cannot read, write, or enumerate any data belonging to Organisation B.