trust

Trust & Compliance Center

Security and trust, in the open.

The Quantum Club is built for elite hiring under heavy regulatory scrutiny. This is the evidence — our compliance posture, where your data lives, how we protect it, and how our AI is governed.

EU-residentGDPR-compliantEU-AI-Act-alignedyour data is never used to train models

Live platform statusstatus.thequantumclub.com ↗Last updated 

01Trust & Compliance Center

Compliance & certifications

Frameworks we meet today, and the attestations under way. Each state reflects what we can evidence now.

GDPRLive

Compliant in-product: data-subject access, export, erasure and rectification; granular, affirmative consent; defined retention windows; 72-hour breach notification. A DPA is available now.

Details →
EU data residencyLive

Customer data is stored and processed in the European Union (AWS eu-west-1, via Supabase). No multi-region toggle — EU by default and by design.

Details →
EU AI ActAligned

Club AI is assistive; a human always makes the hiring decision. Assessments are screening-support only — never standalone selection. Designed to meet the transparency and human-oversight duties for hiring AI.

Details →
SOC 2 (Type II)Aligned

Controls are implemented to the SOC 2 Trust Services Criteria (security, availability, confidentiality). An independent Type II attestation is on our roadmap; this page will publish the report and auditor when it completes.

Details →
ISO/IEC 27001Aligned

Our information-security management maps to ISO/IEC 27001:2022 controls. Formal certification is planned; we will publish the certificate and scope statement once issued.

Details →
ISO/IEC 42001 (AI)Roadmap

The AI-management-system standard is the highest-leverage assurance for a hiring-AI platform. Pursuing certification is on our roadmap and will be evidenced here.

Details →
02Trust & Compliance Center

Document vault

Policies and reports. Public documents open directly; gated reports unlock on request or under NDA.

Security & Trust WhitepaperPDF · download · Last updated 2026-06
Public View ↗
Security overviewGuide · Last updated 2026-06
Public View ↗
Privacy PolicyPolicy · Last updated 2026-06
Public View ↗
Data Processing Agreement (DPA)Agreement · Last updated 2026-06
Public View ↗
AI Transparency PolicyPolicy · Last updated 2026-06
Public View ↗
Data residency & transfersReference · Last updated 2026-06
Public View ↗
Acceptable Use PolicyPolicy · Last updated 2026-06
Public View ↗
Cookie PolicyPolicy · Last updated 2026-06
Public View ↗
GDPR data-subject rightsReference · Last updated 2026-06
Public View ↗
Security questionnaire (CAIQ-Lite)Questionnaire · Last updated 2026-06
Public View ↗
SOC 2 Type II reportAudit report
NDA required
Penetration test summaryAttestation
Request access
03Trust & Compliance Center

Sub-processors

Every third party that may process customer data, what they do, and where.

VendorPurposeDataRegionDPA
Supabase Database, authentication, file storage Account & application data EU (AWS eu-west-1)
Cloudflare CDN, edge compute, DNS, WAF Request metadata in transit Global edge (EU-served)
Stripe Payment processing Billing details (card data not stored by us) EU / US (DPF, SCCs)
Resend Transactional & lifecycle email Name, email, message content EU / US (SCCs)
AI model providers (Anthropic, Google) Club AI features (matching, assistant) Prompts — never used to train models EU / US (SCCs)
PostHog Product analytics — consent-gated, off by default Anonymised usage events EU
04Trust & Compliance Center

Data residency & data flow

Where your data is stored and processed, and how cross-border transfers are governed.

European residency by default. Customer data is stored and processed in the European Union — AWS eu-west-1, via Supabase. There is no setting that relocates core customer data outside the EU.

Cross-border transfers to sub-processors are governed by Standard Contractual Clauses (and the EU–US Data Privacy Framework where applicable). The authoritative transfer list is the sub-processor table above and our Data Processing Agreement.

YouCloudflare edge (EU)Club OS · Supabase (EU eu-west-1)
05Trust & Compliance Center

Security architecture

Defense-in-depth across identity, access, network, and detection — each control is live in production.

Identity & access

Passkey-first authentication
WebAuthn with user verification; phishing-resistant by design.
Enterprise SSO
SAML 2.0 and OIDC federation for partner organisations.
SCIM 2.0 provisioning
RFC 7644 directory-driven joiner/mover/leaver with full audit trail.
MFA + step-up (AAL2)
Multi-factor with enforced re-authentication for sensitive operations.

Data protection

Encryption in transit
TLS 1.2+ everywhere; HSTS with preload.
Encryption at rest
Database, storage and backups encrypted at rest (AES-256).
Row-Level Security
Postgres RLS enforced across 100+ tables — tenant isolation at the database layer.
Secrets management
No secrets in client code; service-role material is server-side only.

Detection & resilience

Atomic rate limiting
Auth-aware, fail-closed limiter (per-account + per-IP) on every authentication endpoint.
Anomaly detection
Continuous scan (every 5 min) for credential-stuffing, spraying, velocity and takeover patterns — alerting today.
Account recovery
PBKDF2-hashed recovery codes; five recovery paths with anti-enumeration guarantees.
Audit logging
Security-relevant events recorded to an append-only audit stream.
06Trust & Compliance Center

Privacy & your rights

GDPR data-subject rights, retention, and how to exercise them.

You can access, export, correct and erase your personal data from your privacy settings in Club OS. Consent for meeting recording is granular and affirmative (video, audio and transcription are separate).

Retention windows are defined per data type, and deletion-on-request is honoured. Personal data is kept only as long as needed for the purpose it was collected or as required by law; our retention schedule is documented and available on request.

Our Data Protection Officer is reachable at privacy@thequantumclub.com and acts as the contact point for data-subject requests and supervisory authorities. Full detail: GDPR rights.

07Trust & Compliance Center

AI governance

How Club AI is governed for high-risk hiring under the EU AI Act — transparency, human oversight, and your data.

Your data is never used to train models

Candidate CVs, notes and meeting transcripts are never used to train or fine-tune public LLMs. Only internal, anonymised telemetry calibrates our own prompts.

A human always decides

Club AI is assistive. Match scores, summaries and recommendations inform people; they never make an automated hiring decision.

Hiring AI is high-risk — we treat it that way

The EU AI Act classifies recruitment AI as high-risk. We design for transparency (users know when AI is involved), human oversight, and against adverse impact.

Assessments are screening-support, not verdicts

Our assessments are positioned as observed work-sample evidence, never standalone selection or clinical/personality diagnosis.

AI sub-processors are named

The model providers behind Club AI are listed in our sub-processor table, with region and data-handling terms.

08Trust & Compliance Center

Resilience & continuity

Availability, backups, incident response, and breach notification.

Availability is published in real time at status.thequantumclub.com, including component health and historical uptime.

Recovery objectives
We maintain defined recovery-time and recovery-point objectives (RTO / RPO) per service tier. The specific targets and our business-continuity plan are available under NDA on request.
Backups
Customer data is backed up on a recurring schedule with encryption at rest. Backups inherit European residency and are periodically restore-tested to verify they are recoverable, not merely written.
Incident response
We operate a documented incident-response process — detection, triage, containment, eradication, recovery and post-incident review — with severity-based escalation. Security-relevant events are logged to an append-only audit stream.
Breach notification
We notify affected customers and, where required, the competent supervisory authority of a personal-data breach within 72 hours of becoming aware, in line with GDPR Art. 33–34.
09Trust & Compliance Center

Vulnerability disclosure

How to report a security issue, and what to expect from us.

Found a security issue? Email security@thequantumclub.com — also published in our security.txt (RFC 9116). Our coordinated-disclosure policy explains scope and timelines: disclosure policy.

We practise responsible disclosure and will keep you informed through remediation. Please do not access data that is not yours, and give us reasonable time to fix before publishing.

Safe harbour. We will not pursue legal action against, or report to authorities, researchers who act in good faith and in accordance with this policy — staying within scope, avoiding privacy violations and service degradation, and not exfiltrating data beyond the minimum needed to demonstrate a finding. If in doubt about whether your testing is authorised, ask us first at security@thequantumclub.com.

10Trust & Compliance Center

Security review FAQ

The questions enterprise security teams ask most often.

Where is our data stored?
In the European Union — AWS eu-west-1, via Supabase. EU residency is the default and there is no setting that moves core customer data outside the EU.
Do you use our data to train AI models?
No. Customer data is never used to train or fine-tune public AI models. Prompts sent to model providers are processed under contract and not used for training.
Are you SOC 2 / ISO 27001 certified?
Our controls are implemented to the SOC 2 Trust Services Criteria and map to ISO/IEC 27001. Independent attestation/certification is on our roadmap — we will publish each report and auditor here when complete, rather than imply a certificate we do not yet hold.
How do you handle hiring AI under the EU AI Act?
Club AI is assistive and a human always makes the decision. We build for transparency, human oversight, and against adverse impact, and treat assessments as screening-support only.
Do you support SSO and SCIM?
Yes — SAML 2.0 and OIDC single sign-on, plus SCIM 2.0 user provisioning and de-provisioning with audit logging.
How quickly are data breaches notified?
Within 72 hours of becoming aware, in line with GDPR Article 33/34.
Can we sign a DPA?
Yes. Our Data Processing Agreement is available now from the document vault above, including the sub-processor list and EU transfer mechanisms (SCCs).
How do we report a vulnerability?
Email our security team or use the contact in our security.txt. Our coordinated disclosure policy explains scope and what to expect.
Can we run our own security review or send a questionnaire?
Yes. We publish a pre-answered CAIQ-Lite security questionnaire on this Trust Center (and as machine-readable JSON) that covers most procurement questions up front. If you need a specific questionnaire (SIG, your own template) completed, contact our trust team and we will turn it around.
How are your AI sub-processors governed?
The model providers behind Club AI (Anthropic, Google) are named in our sub-processor table with region and data terms, and each is bound by a DPA with SCCs. Prompts are processed under contract and never used to train or fine-tune their models. We list them so you always know which third parties touch AI-related data.
What happens to our data if we leave?
You can export your data at any time via self-service in-app, and on contract termination customer data is deleted on request within our defined retention windows. We never retain customer data beyond what we are contractually or legally required to keep.
Do you support audit logging and SIEM export?
Security-relevant events are recorded to an append-only audit stream today. A self-service SIEM/log-export integration is on our roadmap; until then we can provide audit records on request for enterprise customers.
11Trust & Compliance Center

Talk to our trust team

Report a vulnerability

security@thequantumclub.com

Privacy & data requests

privacy@thequantumclub.com

Security reviews & documents

trust@thequantumclub.com