SideQuest Automation — Security and data handling

Last updated: May 2026

This document explains where your data lives, what we can see, and how we protect it. It is written for the person at your company who will ask "is this safe to install?"

The short version

The SideQuest connector runs on your Mac. Your purchase orders, your QuickBooks catalog, your customer list, and your pricing never leave your computer. We do not have access to any of that data, and we cannot get access to it even if we wanted to.

What we do see, and only this:

Your license key
Your contact email and company name (from the signup form)
A counter that tracks how many POs you processed each month
The Gmail message IDs of those POs (opaque hash strings, no content)

We use those counters to enforce your monthly tier (free, starter, growth, etc.). That is the only reason we collect them.

Where each piece of data lives

Data	Where it lives	Can we see it?
Your customer PO emails	Your Gmail account	No
Your QuickBooks catalog	Intuit's servers + a local cache on your Mac	No
Your QuickBooks customer list	Intuit's servers + a local cache on your Mac	No
Your pricing	Intuit's servers + a local cache on your Mac	No
Draft estimates before you submit	Your Mac (in `~/.qb-distributor-mcp/`)	No
Your Gmail OAuth refresh token	Your Mac (in `~/.qb-distributor-mcp/credentials/`)	No
Your QuickBooks OAuth refresh token	Your Mac (in `~/.qb-distributor-mcp/credentials/`)	No
Your license key	Your Mac AND our database	Yes (we issued it)
Your contact email + company name	Our database	Yes
Count of POs processed per month	Our database	Yes (counters only)
Gmail message IDs of processed POs	Our database	Yes (opaque, no content)

The connector is open about this in the code, and you can read every line yourself; the source lives inside the connector folder you install.

How the connection works

When you set up the connector, you grant it OAuth access to your Gmail account and your QuickBooks Online company. The OAuth tokens get stored in encrypted files on your Mac (~/.qb-distributor-mcp/credentials/). These tokens never leave your machine; they are what the connector uses to read your Gmail and write to your QuickBooks directly.

When the connector processes a PO, here is what happens:

The connector reads the PO email from your Gmail (Mac → Google).
The connector matches the PO lines against your QuickBooks catalog (Mac → Intuit).
The connector writes the draft Estimate to your QuickBooks (Mac → Intuit).
After you click Submit, the connector reports one tiny event to our control plane: {"license_key": "...", "kind": "po_processed", "message_id": "<hash>", "lines": 7}. That is the only network call to our servers.

We never see the buyer's email body, the part numbers, the prices, the customer name, or any other content.

How your license key is protected

Your license key is a 22-character random string. We generate it when you sign up and only you and we have it.

Stored on your Mac at ~/.qb-distributor-mcp/.env, with file permissions set so only your Mac user can read it.
Stored on our servers in PostgreSQL, indexed but not encrypted at rest (it is a random token, not a password; if our database is breached the keys are useless without also breaching every customer's individual machine).
Transmitted in HTTPS request bodies only, never in URLs (so it does not show up in our access logs or HTTP referrer headers).
Rotatable: if you think yours leaked, email Paul and he generates you a new one in under a minute.

Where our control plane lives

The control plane is a small API service that does two things: validates license keys and counts POs. It runs on:

Fly.io (San Francisco-based US company, machines hosted in Chicago, Illinois)
Neon (US company, PostgreSQL database hosted on AWS us-east-1 in Virginia)
TLS via Let's Encrypt, automatically renewed

All traffic between your Mac and our control plane is encrypted with TLS 1.2 or newer. We do not log request bodies on our servers; we log only access timestamps, response codes, and bytes transferred.

How we handle a security incident

If we discover or are notified of a security incident affecting customer data, we will:

Stop the cause of the incident immediately.
Notify affected customers within 72 hours via email, with what we know.
Investigate root cause and publish a post-mortem within 30 days.
Offer license-key rotation for any customer who wants it.

To report a security issue: email hello@sidequestautomation.com with [SECURITY] in the subject line. We acknowledge within 24 hours.

What we deliberately do NOT do

We do not have a "support backdoor" that lets us read your QuickBooks. We cannot get into your data even if you ask us to.
We do not sell, share, or rent customer data to third parties. Ever.
We do not use customer data to train AI models, including handwriting OCR (which sends only the specific page image you opt in to process, directly from your Mac to Anthropic's API).
We do not run cloud-based OCR on your behalf without you knowing. Tesseract runs locally; Claude vision is opt-in and uses your own API key.
We do not use cookies on this site. The signup form collects only what you type into it.

Frequently asked

Can you delete our data on request? Yes. Email hello@sidequestautomation.com and we delete your customer + license + usage rows from our database. We cannot delete the data on your own Mac because we do not have access to it; you delete the ~/.qb-distributor-mcp/ folder yourself, which removes the OAuth tokens and local caches.

What happens if our license is canceled? Your local connector keeps working with cached state for 7 days, then refuses to process new POs until you re-license. Your QuickBooks and Gmail are unaffected.

What if SideQuest goes out of business? We will publish the source code under a permissive open-source license. Your installed connector keeps working indefinitely (it has cached license state for 7 days, after which you can remove the license check yourself from the open-source code).

Do you have SOC 2? Not yet. SOC 2 Type I requires ~6 months of audit and we will pursue it once we have the customer base to justify it. The architecture (no customer data on our servers) means SOC 2 mostly covers our control plane, which is intentionally minimal.

Are you HIPAA / GDPR / CCPA / PCI compliant? We do not process protected health information (HIPAA does not apply). We collect only contact info and counters, with deletion-on-request available (GDPR and CCPA compliance). We do not process credit cards directly (Stripe handles all payment data; PCI compliance is on their side).

Contact

Email hello@sidequestautomation.com with any security question. Subject lines starting with [SECURITY] get prioritized response within 24 hours.

This document is updated whenever the architecture or our practices change. Check back for the "Last updated" date at the top.