Trust Centre

Security, compliance, and evidence verification resources for procurement, security, and diligence teams.

🔒 Security Overview

Enterprise-grade security controls designed for regulated financial services.

🔐 Encryption & Key Management

  • Data encrypted at rest (AES-256) and in transit (TLS 1.3)
  • AWS KMS with customer-managed CMKs (BYOK supported)
  • ML-DSA-65 signing keys for evidence (implements NIST FIPS 204)
  • HSM-backed key storage available (CloudHSM)
  • Per-tenant key isolation in multi-tenant deployments

🛡 Access Control

  • RBAC with predefined roles: Admin, Analyst, Auditor, ReadOnly
  • SSO via SAML 2.0 / OIDC (Okta, Azure AD, custom IdP)
  • MFA enforced for all console and API management access
  • IP allowlisting and VPC-only access options
  • Session management with configurable timeouts

📝 Audit Logging

  • CloudTrail integration for all API and management actions
  • Immutable decision logs with tamper-evidence hashing
  • User activity tracking with session attribution
  • Configurable log export (Splunk, Datadog, S3, custom SIEM)
  • Retention aligned to regulatory requirements

🗄 Data Retention (Immutable)

  • S3 Object Lock COMPLIANCE mode (WORM — Write Once Read Many)
  • Configurable retention periods: 5, 7, or 10 years
  • Automated lifecycle policies for cost-optimised tiering
  • Legal hold support for investigation preservation
  • Deletion certificates available on request

What this means: In COMPLIANCE mode, locked object versions cannot be overwritten or deleted by any user (including root) until retention expiry. This is an AWS S3 Object Lock COMPLIANCE mode guarantee.

How to verify: Auditors can confirm WORM retention via AWS Console → S3 → Bucket → Properties → Object Lock, or via aws s3api get-object-retention.

📊 Data Handling

Clear data processing, storage, and residency commitments.

Deployment Model Data Processed Data Stored Operated By Retention Default
SaaS (Multi-Tenant) Party names, identifiers, screening requests Decision receipts, evidence artefacts, audit logs QuantumVerify 7 years (configurable)
VPC / PrivateLink Same as SaaS Customer's AWS account (S3 buckets) Customer infra, QV software Customer-defined
On-Premises Same as SaaS Customer's infrastructure Customer Customer-defined

🔐 Data Residency

Default deployment region is eu-west-2 (London). All data processing and storage occurs within the EU unless explicitly configured otherwise. Additional regions available on request for enterprise deployments.

🛡 Data We Don't Store

QuantumVerify does not store raw transaction data, payment card numbers (PAN), or bank account details. We process screening requests and store only the decision evidence required for audit compliance.

📊 Controls Mapping

Platform capabilities mapped to regulatory frameworks and industry standards. Mapping shows which evidence artefacts support your controls; it is not a statement of legal compliance or certification.

🔒 DORA

Mapped controls + evidence outputs for EU Regulation 2022/2554:

  • ICT risk management artefacts
  • Evidence retention (Article 11)
  • Audit trail and logging
  • Operational resilience outputs
  • Third-party risk documentation

Supports your DORA compliance case; not a compliance certification.

💎 MiCA / CASP

Supports workflows aligned to MiCA:

  • Travel Rule messaging support
  • Originator/beneficiary screening
  • IVMS101 data structure alignment
  • Audit evidence generation
  • Transaction monitoring hooks

Supports your MiCA/CASP compliance case.

🔐 EU Instant Payments

Mapped controls for EU Regulation 2024/886 (VoP):

  • VoP informs payer of match/close match/no match between name and IBAN prior to authorisation (ECB reference)
  • Response latency discipline
  • Match evidence and receipts

Supports your IPR compliance case.

🔐 FATF Travel Rule

FATF Recommendation 16 alignment:

  • IVMS101 message structure
  • Originator/beneficiary data capture
  • Cryptographic verification
  • Cross-VASP messaging support
FATF Guidance →

🔒 ISO 27001 Controls Mapping Pack

Not controls mapping available — control mapping and evidence available

Information Security Management:

  • Control mapping documentation
  • Risk assessment artefacts
  • Access control evidence
  • Incident response procedures

No third-party certification is claimed unless explicitly provided under NDA.

🔒 SOC 2 Alignment Pack

Not a SOC 2 report — alignment artefacts available

Trust Services Criteria:

  • Security control evidence
  • Availability monitoring outputs
  • Processing integrity artefacts
  • Confidentiality controls

SOC 2 is an examination report over controls, not a certification; QuantumVerify provides a controls mapping pack to accelerate your assessment. AICPA SOC 2 framework →

🔒 Security Pack

Procurement-ready security documentation for vendor assessment.

🔒 Subprocessors

  • AWS (Amazon Web Services) — Infrastructure, compute, storage, KMS
  • No other subprocessors for core screening and evidence
  • Optional integrations (Slack, email) are customer-configured

Full subprocessor list available on request for procurement review.

🔐 RTO / RPO Targets

Targets (subject to contract/SLA)

  • RTO (Recovery Time Objective): <4 hours (SaaS), customer-defined (VPC/on-prem)
  • RPO (Recovery Point Objective): <1 hour (evidence data), <15 min (decision logs)
  • Multi-AZ deployment with automated failover
  • Cross-region DR available for enterprise tier

🔒 Key Management Policy

  • AWS KMS with customer-managed CMKs (BYOK supported)
  • Automatic key rotation (annual, configurable)
  • Separate signing and encryption keys
  • HSM-backed storage available (CloudHSM)
  • Key access logged via CloudTrail

🔐 Retention & Deletion Policy

  • Default retention: 7 years (WORM-protected)
  • Configurable retention: 5, 7, or 10 years
  • Deletion certificates available on expiry
  • Legal hold support for investigations
  • Automated lifecycle tiering for cost optimisation

🔐 Incident Response

  • 24-hour notification for confirmed security incidents
  • Dedicated incident response runbook
  • Post-incident report with root cause analysis
  • Coordinated disclosure for vulnerabilities

Vulnerability Disclosure: Security researchers can report vulnerabilities to lukasz.dziewiecki@quantumverify.io. We acknowledge within 48 hours and coordinate disclosure timelines.

🔒 Security Assessments

  • Vulnerability scanning: Continuous (AWS Inspector, Dependabot)
  • Penetration testing: Annual (summary available under NDA)
  • Code scanning: SAST/DAST in CI/CD pipeline
  • Dependency audit: Automated SBOM generation

Pen-test executive summary and vulnerability scan reports available under NDA.

DPA: Data Processing Addendum available under NDA; includes subprocessor list, retention terms, deletion certificates.

🔒 Customer-Side Shared Responsibility

In SaaS and VPC deployments, customers are responsible for:

  • Access management: Provisioning/deprovisioning users, enforcing MFA, managing API keys
  • Integration security: Securing API calls from your systems, protecting credentials
  • Data classification: Ensuring only appropriate data is submitted for screening
  • Compliance decisions: Interpreting screening results and making compliance decisions

🔒 Security Questionnaire Fast-Track

Accelerate your procurement and security review process.

🔐 Procurement Fast-Track Pack

Pre-completed artefacts to accelerate your security review:

  • CAIQ-LiteCSA format responses
  • Security architecture one-pager
  • Data flow diagram + subprocessors list
  • Encryption at rest/in transit summary
  • Incident response summary

Available on request; gated for qualified prospects.

🔒 Questionnaire Packs

Pre-completed responses for common security questionnaires:

SIG Lite SIG Core CAIQ v4 VSA Custom

Typical response time: 3–5 business days for standard questionnaires.

To request any pack, contact lukasz.dziewiecki@quantumverify.io or use the form below.

Request Evidence Pack or Questionnaire Response

For diligence teams requiring detailed security documentation, control mappings, or questionnaire responses.

Request Access → View UAT Evidence →