Security and data control
Security is not enough. Enterprise organizations require demonstrable control: over every access, every analysis, every output. Quvant is built for exactly that.
Where your data lives
Analysis data is stored on MongoDB Atlas, Milan region (eu-south-1), within the European Economic Area. Encryption at rest, a 3-node replica set for high availability, continuous automated backup with point-in-time recovery. Processing runs on EU West (Amsterdam) infrastructure. No data crosses non-EU borders.
Each customer operates in a logically isolated space. One organization's analyses, evidence packs, and logs are never accessible to another.
Enterprise plan: BYOC (Bring Your Own Cloud) on roadmap H2 2026 — analyses executed within the customer's own cloud, with full control over data residency and access.
Proof
- Milan · eu-south-1
- Encryption at rest
- Multi-tenant isolation
Audit trail and immutability
SHA-256 append-only: every Evidence Pack is cryptographically signed at creation. No retroactive change is possible — any later alteration is detectable.
RFC 3161 TSA (Enterprise): Trusted Timestamping with a certified external timestamp authority. The timestamp is verifiable by third-party auditors with no dependency on Quvant. In implementation, available Q3 2026.
Proof
- Vault SHA-256
- Append-only audit trail
- Tamper-evidence
Compliance and certifications
- GDPR: no personal data required to operate the service (no personal data by design).
- The underlying MongoDB Atlas infrastructure is SOC 2 and ISO 27001 certified.
- Quvant SOC 2 Type II certification: on roadmap H2 2026.
- Quvant ISO 27001 certification: under evaluation.
Proof
- GDPR · no personal data
- Atlas SOC 2 · ISO 27001
Authentication and access
- Passwordless access via single-use magic link, valid 15 minutes.
- SSO/SAML for the Enterprise plan: available on request.
- Optional 2FA on the Professional plan, mandatory on the Enterprise plan.
Proof
- Single-use magic link
- 2FA on Professional/Enterprise
- SSO/SAML — available on request
Sovereignty Scale
| Model | Plan | Data residency | Control |
|---|---|---|---|
| Managed EU | Free / Starter / Pro | Milan (eu-south-1) | Standard |
| BYOC — on roadmap H2 2026 | Enterprise | Customer cloud | Full |
| Single-tenant — on roadmap | Enterprise+ | Dedicated tenant | Maximum |
BYOC and single-tenant options are on the roadmap and available on the Enterprise plan.
Compliance Roadmap
Where we are on the path to third-party attestation. Self-assessed items reflect our current internal posture; certifications in progress are independently audited.
| Certification | Status | Target |
|---|---|---|
| SOC 2 Type I | In progress | Q4 2026 |
| ISO 27001 | Planned | 2027 |
| DORA Compliance | Self-assessed | Ongoing |
| EU AI Act | Self-assessed | Ongoing |
Vendor Security Assessment
A pre-compiled Vendor Security Assessment Questionnaire (VSAQ) is available for procurement and vendor-onboarding reviews.
Data Processing Agreement
Download our standard DPA (template v1.0) for your legal team to review before signing any MSA.
Security architecture
- Per-tenant isolated inference in dedicated containers.
- The Evidence Pack hash is computed server-side and immutable post-emit.
- No training on customer data.
- Audit log retention for 7 years (DORA Art. 17).
Responsible AI commitments
- The Validator runs blind and prevents groupthink by design.
- Every HALT is logged with the full Dissent Record.
- The confidence score is always visible — no black-box output.
Trust posture
No declared certifications we can't prove. Each item shows its real status.
- GDPR Art. 28 compliant DPA, ready to signlive
/legal/dpa-v1.0.md (downloaded from /security)
Verify this claim - DORA-ready architecturelive
/security#security-architecture
Verify this claim - EU AI Act Art. 9 self-assessment completedself-assessed
/security#responsible-ai
Verify this claim - Evidence Pack with SHA-256 hash, immutable post-emitlive
compute_immutable_hash in deliberation_engine.py
Verify this claim - No training on customer datalive
/security#security-architecture
Verify this claim - Audit log retention 7 years (DORA Art. 17)live
DORA Art.17 — /security#security-architecture
Verify this claim - Architecture aligned with ISO/IEC 27001 principlesaligned
Annex A mapping in progress; no certificate
Verify this claim - SOC 2 Type II sub-processors (Railway, Vercel, Resend)via provider
/legal/subprocessors (Railway, Vercel SOC2 TypeII, Resend)
Verify this claim
Every claim above is recorded in our Trust Ledger and verified automatically in CI: the site shows only what is provable. The same principle as Evidence Packs, applied to our own marketing.
Frequently asked questions
- Does incident data leave the EU?
- On the Starter and Professional plans, data is processed on EU infrastructure. For Enterprise with a dedicated tenant, localization is contractually configurable.
- Is Quvant ISO 27001 certified?
- ISO 27001 certification is on the roadmap (H1 2027). We currently apply equivalent controls — documentation available on request for enterprise procurement.
Demonstrable control, from the first analysis.
Evaluate Quvant on your own data and verify every piece of evidence before you propose a budget.