Book a demo

Trust Center

Quanta is built on defense in depth, zero trust, and transparency. Here's how we protect your data and how we respond in the event of an incident.

Contact us:

security@usequanta.com

Security Philosophy

Defense in depth

Layered controls across infrastructure, application, and data. No single point of failure.

Zero trust

Verification at every layer with strict tenant isolation. Every request is authenticated and authorized.

Transparency

Clear communication about our practices and any incidents. Affected customers notified within 72 hours of a confirmed breach.

Frequently Asked Questions

Where is my data hosted?
Quanta is hosted on Render (SOC 2 Type II certified) in the United States. All customer data resides in US-based infrastructure. Cloudflare (SOC 2 Type II, ISO 27001) sits in front of all traffic for DDoS protection and edge security. Daily backups are performed automatically by Render.
How is my data encrypted?
All customer data is encrypted at rest using AES-256 and in transit using TLS 1.2+. Secrets and API credentials are managed through Infisical (SOC 2 Type II), never stored in code or config files. They are retrieved at runtime and held in memory only.
Can another customer access my data?
No. Quanta enforces strict multi-tenant isolation at the application layer. Every database query is scoped to your organization, every API request is authenticated and authorized against your tenant, and authorization checks prevent any cross-organization data access.
Do you support SSO?
Yes. SSO is available and can be configured for your organization. Contact security@usequanta.com to set it up. SCIM provisioning for automated user lifecycle management is on our roadmap.
What happens if there is a security incident?
Quanta follows a formalized 7-step incident response process: detection, triage, containment, eradication, recovery, notification, and post-incident review. We maintain an on-call rotation with severity-based escalation. If a data breach is confirmed, affected customers are notified within 72 hours. Our full Incident Response Plan is available upon request.

Infrastructure & Architecture

Hosting

Render (SOC 2 Type II). Render owns physical security, network infrastructure, host OS, and daily backups. Quanta owns application security, access controls, monitoring, and incident response.

Network segmentation

Production, development, and staging run on private networks. No external traffic can reach production systems.

DDoS protection

Cloudflare filters all inbound traffic before it reaches our infrastructure.

Multi-tenant isolation

Tenant ID validated on every database query. Authorization checks enforce tenant boundaries on every request.

Data Protection

Encryption at rest

AES-256 for all customer data.

Encryption in transit

TLS 1.2+ for all client-server and service-to-service communication.

Secrets management

Infisical handles all encryption keys and API credentials. Secrets are never stored in code, config files, or version control. They are retrieved at runtime and held in memory only.

Credential handling

We use revocable OAuth tokens. No user passwords are stored in Quanta systems.

Identity & Access Management

Authentication

Google OAuth 2.0 and OTPs. No passwords stored. JWT tokens issued with configurable expiration.

Authorization

Permission checks on every request. Tenant ID validation prevents cross-tenant data access. Tokens are revocable for immediate access revocation.

SSO

Available with agreed upon terms. Contact security@usequanta.com to configure.

Roadmap

SCIM provisioning for automated user lifecycle management is planned.

Security Operations

Monitoring

Real-time security monitoring and alerting across all production systems.

Change management

All code changes go through automated testing, static code analysis, mandatory peer review, and manual QA before production deployment.

Incident response

Formalized 7-step IR process with on-call rotation, severity-based escalation, and 72-hour breach notification commitment. Full IR plan available upon request.

People & Process

Employee security

All employees sign confidentiality agreements. Verified workstations required for production access. Least privilege access model enforced.

SDLC

Security is integrated throughout development: design review, automated testing, static analysis, code review, and segregated environments.

Compliance & Legal

SOC 2 Type II

Targeting audit completion in 2026. Infrastructure provider Render is already SOC 2 Type II certified. SIG Lite questionnaire, SOC 2 readiness details, and architecture diagrams available on request.

Subprocessors

Subprocessor Purpose Data Processed Compliance
Render Cloud infrastructure & hosting All customer data SOC 2 Type II
Infisical Secrets management Encryption keys, API credentials SOC 2 Type II
WorkOS Authentication User email, profile SOC 2 Type II, ISO 27001
Cloudflare DDoS protection, CDN Network traffic metadata SOC 2 Type II, ISO 27001

Additional Resources Available on Request

The following documents are available to qualified prospects and customers. Contact security@usequanta.com to request access.

  • Incident Response Plan
  • SIG Lite Questionnaire
  • SOC 2 Readiness Details
  • Architecture Diagrams