Security & Compliance

Operational reference for enterprise-facing controls currently implemented in Quantlix.

Identity & access

MFA (TOTP) per user with recovery codes and disable flow.
Organization MFA requirement to enforce MFA for org-scoped API access.
API key scopes, optional expiry, revoke timestamp, and last-used audit fields.
Scoped OIDC SSO with optional password-login enforcement by organization.

Data protection posture

Quantlix is designed so teams can prove what data was fetched, what was redacted, which policy ran, and what reached a model provider. In workflow use cases, PII controls should run before model nodes. For self-hosted deployments, raw source data can remain inside the customer-controlled network boundary.

Company and hosting note

Quantlix is owned by Navego AB, Lillängsvägen 21, 131 41 Nacka, Stockholm, Sweden.

Deployment options include managed operation and self-hosting. For strict data residency requirements, confirm the selected hosting region and provider configuration before production rollout.

Signed audit exports

Enforcement-event JSONL can be exported with hash chain and trailing HMAC signature metadata.

curl "https://api.quantlix.ai//enforcement-events/export?deployment_id=DEPLOYMENT_ID&format=jsonl&signed=true" \
  -H "X-API-Key: YOUR_API_KEY"

curl -X POST "https://api.quantlix.ai//audit/verify-signed-export" \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"lines":["{...signed jsonl line 1...}","{...line 2...}","{...signature block...}"]}'

Note: signed export requires `AUDIT_SIGNING_KEY`.

GDPR data subject rights

Self-service export and erasure are available via authenticated auth endpoints.

curl "https://api.quantlix.ai//auth/gdpr/export" \
  -H "X-API-Key: YOUR_API_KEY"

curl -X POST "https://api.quantlix.ai//auth/gdpr/delete" \
  -H "X-API-Key: YOUR_API_KEY"

Erasure is blocked with `409` when the user is the sole owner of any organization.

Common questions

Does Quantlix store prompts?

Quantlix stores execution and audit data needed for traces, enforcement events, and visibility. For privacy-sensitive workflows, use redaction before model calls and review retention settings for your deployment model.

Can I export audit evidence?

Yes. Enforcement exports and signed audit exports are available when signing is configured. Workflow analysis can also export compliance evidence for redaction proof.

Use traces and run history for investigations →

What about subprocessors?

Subprocessors depend on the deployment model and selected providers. If you connect Anthropic, OpenAI, Azure OpenAI, Bedrock, Voyage AI, or another vendor, that provider relationship is part of your data flow.