Security & Trust

Procurement and security-review checklist — what is in place today, what is in progress, and what is on the roadmap. Quantlix is not SOC 2 or ISO 27001 certified today.

Readiness, not legal compliance

Quantlix provides runtime policy enforcement and exportable evidence on supported production paths to help teams build EU AI Act readiness and broader AI governance workflows. It is not legal advice, a conformity assessment, CE marking, or a guarantee of regulatory compliance. Risk classification, DPIAs, and legal interpretation remain your responsibility.

Supported paths & evidence APIs → · Trust center →

Compliance posture

SOC 2 Type 1

In progress

Control design and operating evidence collection underway. Report available under NDA after completion.

Request audit report →

ISO 27001

On roadmap

Information security management system certification planned after SOC 2 Type 1.

GDPR

Privacy by architecture

Data subject export, deactivation, and erasure flows with audit logging. Standard DPA available.

Data Processing Agreement →

Data residency

EU-hosted default

Managed Quantlix cloud runs on EU infrastructure (Hetzner). Self-hosted Kubernetes available for stricter boundaries.

SOC 2 Type 1 examination is in progress. Report available under NDA after completion — register interest.

Certifications & testing

  • SOC 2 Type 1 — in progress (control design and operating evidence collection). Not certified today.
  • ISO 27001 — on roadmap after SOC 2 Type 1.
  • ISO 42001 — planned; not started.
  • Third-party penetration test — planned before SOC 2 Type 1 (PEN-01); no completed report published yet.

Data residency & deployment

Managed Quantlix cloud runs on EU infrastructure (Hetzner). Self-hosted Kubernetes available for stricter boundaries. Quantlix is operated by Navego AB, Stockholm, Sweden.

  • Managed cloud — EU infrastructure (Hetzner) by default. EU-only regions today; confirm region and provider configuration before production rollout.
  • Self-hosted / private deployment — Kubernetes deployment available for teams that need stricter network boundaries. See self-hosted setup.

Encryption

  • TLS for data in transit between clients and Quantlix services.
  • Provider credentials and integration tokens encrypted at rest (Fernet).
  • Encrypted Postgres backups with dedicated backup encryption keys.
  • Enforcement audit exports can include a signed hash chain when AUDIT_SIGNING_KEY is configured.

Tenant isolation & access controls

  • Organization-scoped data and API access — resources are tied to org membership and role checks.
  • Role-based access within organizations (owner, admin, member, viewer).
  • Multi-factor authentication (TOTP) for user accounts; optional org-wide MFA requirement.
  • API keys with scopes, optional expiry, revocation, and last-used metadata.
  • OIDC single sign-on with optional password-login lockout per organization.
  • Just-in-time production access for platform operators with audit logging.

Technical reference: Security & compliance docs.

Retention controls

  • Configurable retention for trace and enforcement data by organization.
  • Plan tiers define default audit retention windows; org admins can adjust within plan limits.
  • GDPR data subject export, deactivation, and erasure with audit events.

Incident response & vulnerability management

  • Severity-based response targets (SEV-1 through SEV-4) with documented playbooks.
  • Security event monitoring with alerting for authentication anomalies, privilege changes, and export patterns.
  • GDPR breach notification process aligned with 72-hour supervisory authority timelines where applicable.
  • Weekly dependency update PRs (Dependabot) and CI blocking on critical CVEs.
  • Documented remediation SLAs: critical within 7 days, high within 30 days, medium within 90 days.
  • Secret scanning in CI; documented exception process for time-bound allowlists.

Report vulnerabilities: responsible disclosure or security@quantlix.ai.

DPA & subprocessors

  • Standard Data Processing Agreement available for download and execution.
  • Versioned subprocessor register published from our internal registry.
  • Customer-configured model providers (Anthropic, OpenAI, Azure OpenAI, Bedrock, etc.) are part of your data flow when you connect them.

Data Processing Agreement → · Full subprocessor list · JSON API

Subprocessors (summary)

PartyRoleRegionsData categoriesNotes
GitHub, Inc. (Microsoft)
Source code hosting and CIUS, EUsource_code, ci_metadata
Hetzner Online GmbH
Cloud infrastructure (managed Quantlix hosting)EUcustomer_payloads, operational_logs, account_metadata
Model providers you configure
Customer-configured		Inference (OpenAI, Anthropic, Azure OpenAI, Bedrock, etc.)variesprompts, completions, embeddingsCustomer-selected; data flows per deployment provider binding and DPA.
OpenTimestamps calendar servers
Secondary blockchain timestamp for trace chain Merkle rootsglobalsha256_merkle_root_digestsOptional redundancy alongside Rekor; digest-only submissions.
Sigstore Rekor (Linux Foundation)
Transparency log for trace chain Merkle roots (hashedrekord; digest only)US, EUsha256_merkle_root_digestsEnterprise trace chain anchoring when TRACE_CHAIN_ANCHOR_ENABLED is on. No tenant identifiers in public log entries.
Stripe, Inc.
Payment processing and billingEU, USbilling_pii, payment_metadata
Voyage AI (when enabled)
Customer-configured		Embeddings and semantic retrievalUStext_for_embeddingOnly when used for RAG or semantic cache.

How evidence supports security review

Quantlix's tamper-evident trace model gives security and audit teams independently verifiable runtime records — without asking reviewers to trust our word alone.

  • Per-organization append-only SHA-256 hash chains for enforcement and run-seal events.
  • Segment roots published to Sigstore Rekor (public transparency log) for external anchoring.
  • Open-source @quantlix/verify CLI — verify integrity proofs without Quantlix API credentials.
  • Signed enforcement-event exports and audit bundles with bundled verification instructions (HOW_TO_VERIFY.txt).

Cryptographic chaining attests to ledger continuity, not business truth or legal compliance. Pre-cutover events may be marked pre-chain and are outside the ledger.

Trace integrity details → · Trust center

Security questionnaires & reviews

Email security@quantlix.ai for procurement packs. General product questions: support@quantlix.ai.

Security & Trust — Quantlix — Quantlix