Security overview

• TLS for data in transit between clients and Quantlix services.
• Provider credentials and integration tokens encrypted at rest (Fernet).
• Encrypted Postgres backups with dedicated backup encryption keys.
• Enforcement audit exports can include a signed hash chain when enabled.

• Multi-factor authentication (TOTP) for user accounts; optional org-wide MFA requirement.
• Role-based access within organizations (owner, admin, member, viewer).
• API keys with scopes, optional expiry, revocation, and last-used metadata.
• OIDC single sign-on with optional password-login lockout per organization.
• Just-in-time production access for platform operators with audit logging.

• Severity-based response targets (SEV-1 through SEV-4) with documented playbooks.
• Security event monitoring with alerting for authentication anomalies, privilege changes, and export patterns.
• GDPR breach notification process aligned with 72-hour supervisory authority timelines where applicable.
• Platform and security audit logs retained per data retention policy.

• Weekly dependency update PRs (Dependabot) and CI blocking on critical CVEs.
• Documented remediation SLAs: critical within 7 days, high within 30 days, medium within 90 days.
• Secret scanning in CI; documented exception process for time-bound allowlists.

• Configurable retention for trace and enforcement data by organization.
• GDPR data subject export, deactivation, and erasure with audit events.
• Subprocessor list published automatically from our internal registry.

Standard Data Processing Agreement →

• Signed enforcement-event exports for customer-controlled evidence packs.
• Run and policy decision traceability on supported production paths.
• SOC 2 Type 1 report available under NDA when examination completes — request workflow.