Security is at the heart of what we do
—helping our customers improve their security and compliance posture starts with our own.
Access should be limited to only those with a legitimate business need and granted based on the principle of least privilege.
Security controls should be implemented and layered according to the principle of defense-in-depth.
Security controls should be applied consistently across all areas of the enterprise.
Security is a continuous process. We review our policies and controls periodically (at least annually), including access to resources. Our employees receive annual security training.
Quanscient has passed SOC 2 Type I audit in December 2023. Now we are waiting for an audit report for the SOC 2 Type II certificate, and after attaining it we will naturally keep maintaining it. Furthermore, we will expand our compliance to ISO 27001 certification during the early 2025.
All customer data, in addition to object-storage, temporary storage and databases are encrypted at rest.
We use TLS 1.2 or higher everywhere data is transmitted over potentially insecure networks. We renew our SSL certificates regularly and we restrict the allowed ciphers to well-known secure ciphers only.
We keep customer data stored in their selected region, and the regions are isolated from each other.
All our encryption keys are managed via Key Management System (KMS). Using KMS prevents direct access to the keys by any individuals, including employees of Quanscient. The keys are used for encryption and decryption via KMS APIs only.
Application secrets are stored encrypted and access to these values is limited to only the services that absolutely need them.
We perform penetration testing internally for our production systems, including black-box, gray-box and white-box types of testing. We also order external penetration testing periodically.
All areas of our product and cloud infrastructure are in-scope for these assessments.
We employ vulnerability scanning at multiple stages of our Secure Development Lifecycle (SDLC):
Static analysis (SAST) at build time.
Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain.
Network vulnerability scanning on a periodic basis
All of our devices are equipped with anti-malware protection, disc-encryption, automatic screen-locking, automatic software updates and we utilize password managers to prevent leaking access.
As a cloud-first company, all the data we handle is securely stored and backed-up by our carefully selected, world-class vendors, who are committed to security. All connections to the services we use are encrypted using standard techniques.
We require our employees to complete annual security training. In addition to that, we have established a Product Security Team that has representatives from all of our teams. In their regular meetings, latest security information is shared and passed on to the teams by these representatives. In addition, we also follow security incidents and notify our employees on our internal communication channels about new threats or required measures.
We utilize a security compliance management software to monitor the access rights and identities in the services we use. These are reviewed at least annually and any access to services needs to be requested via internal system and reviewed by the system owners before allowing access.
View Quanscient’s Privacy Policy.