Security & Privacy

Enterprise-grade security. Built for Salesforce Marketing Cloud.

QAiry is designed with data privacy and regulatory compliance at the core of its architecture. Your customer data stays in your SFMC instance — QAiry works with metadata.

Book a Demo Contact Sales

Data handling

Customer data stays in your SFMC environment

QAiry uses only what's needed: SFMC user information, user prompts for traceability, and metadata — nothing more.

What QAiry can access

SFMC user info for QAiry users — name, username, email
User prompts to deliver the experience and ensure traceability
Metadata only:

DE nameField name Field typePrompt history User identity

What QAiry does NOT access

No customer records stored outside SFMC
No subscriber export to external databases
SQL executes in SFMC — Query Activity runs in your environment

Key principle

QAiry is a secure assistant for your SFMC metadata and operations — not a data replication layer.

Salesforce Security Review

Validated through AppExchange security standards

Before listing on AppExchange, QAiry completed Salesforce's full security review — automated scanning and manual penetration testing.

01 — Automated testing

Automated testing

Vulnerability scanning aligned with industry best practices, including OWASP-based security scanners.

02 — Manual assessment

Manual assessment

Penetration testing and manual validation against common attack vectors: SQL injection, XSS, and authentication weaknesses.

03 — Ongoing checks

Ongoing checks

Periodic and random re-checks ensure continued compliance. Remediation is required to remain listed on AppExchange.

Secure API architecture

Execution stays inside Marketing Cloud Engagement

QAiry generates SQL from metadata, then runs it entirely within your environment — no data ever leaves SFMC.

QAiry

AI assistant

Secure API bridge

Salesforce MCE

Your environment

QAiry

User accesses QAiry inside SFMC

SSO login

Salesforce Marketing Cloud

Reads metadata

Requests field structure from SFMC APIs

DE names Field names Field types

Metadata

SFMC APIs respond

Returns schema — no subscriber data

Generates SQL

Builds query from metadata only — no customer records involved

SQL query

SQL sent to SFMC

SQL Activity — query text transferred encrypted

Creates in SFMC

Uses SFMC APIs to build objects inside your environment

API calls

Objects created

Data Extension, fields, Automations — all inside MCE

Hosting & data residency

EU hosting by default, region-specific deployments available

QAiry is hosted on AWS in Paris (eu-west-3) by default. Region-specific deployments can be arranged to meet local data residency requirements.

Default region

AWS Paris, France — eu-west-3. Hosted in the EU by default for all customers.

Encryption

All data is encrypted in transit and at rest. Secure by default, with no exceptions.

Residency alignment

Region-specific deployments can be discussed for customers with local data residency or governance requirements.

FAQ

Common questions

Quick answers for security reviews, procurement, and implementation planning.

Does QAiry store subscriber or customer data?

No. QAiry does not access, process, or store customer data outside your Salesforce Marketing Cloud instance. QAiry uses SFMC user information (for users who access QAiry), user prompts (for traceability), and metadata — Data Extension names, field names, and field types.

Where does the SQL run?

The generated SQL queries are executed entirely within Marketing Cloud Engagement — inside your environment. No data is transferred to QAiry's infrastructure during execution.

Can API scopes be reduced?

Yes. For custom deployments, scopes can be tailored to match your governance model and enabled features — for example, allowing Query + DE creation while disabling Automation creation and removing related scopes.

Where is QAiry hosted?

By default, QAiry is hosted on AWS servers located in Paris, France (EU) — eu-west-3. Region-specific deployments can be discussed for customers with local data residency requirements.

What does the Salesforce Security Review involve?

Automated security testing (vulnerability scanning using OWASP-based tools) and manual security assessments, including penetration testing and checks for common attack vectors such as SQL injection, XSS, and authentication weaknesses. Ongoing periodic checks are also required.

Need a security pack for procurement?

If your team needs details on data residency, Salesforce Security Review alignment, or API scope mapping for your governance model — contact us and we'll share the right documentation.

Book a Demo Contact Us