Security questionnaire

A pre-answered security questionnaire (CAIQ-Lite) — the questions enterprise procurement asks every vendor, answered up front from our real posture. Answers reflect our live posture; export the machine-readable version below.

Download JSON ↗ CAIQ-Lite · v2026-06-22

01Trust & Compliance Center

Governance, Risk & Compliance

Yes

Do you maintain documented information-security policies?Published security model + security, acceptable-use and privacy policies.

Planned

Do you hold a SOC 2 Type II attestation?Controls implemented to the criteria; independent attestation on the roadmap.

Planned

Are you ISO/IEC 27001 certified?ISMS mapped to 27001:2022 Annex A; certification planned.

Yes

Do you review sub-processors and require DPAs?Sub-processors reviewed; GDPR-compliant DPA in place with each.

Yes

Do you perform vendor / third-party risk review before onboarding a sub-processor?Each sub-processor is assessed for data handling, region and DPA terms before use; the list is published here.

Yes

Do you notify customers of sub-processor changes?The sub-processor list is published with a subscribe-to-changes option so customers are notified of additions.

02Trust & Compliance Center

Identity & Access Management

Yes

Do you support enterprise SSO (SAML 2.0 / OIDC)?SAML 2.0 and OIDC federation for partner organisations.

Yes

Do you support SCIM user provisioning?SCIM 2.0 (RFC 7644) joiner/mover/leaver with audit trail.

Yes

Is multi-factor authentication available and enforceable?MFA with enforcement + step-up (AAL2) for sensitive operations.

Yes

Do you offer phishing-resistant authentication?Passkey-first (WebAuthn, user verification).

Yes

Is access governed by least-privilege RBAC?Role-based access; tenant isolation enforced at the database layer.

03Trust & Compliance Center

Data Security & Encryption

Yes

Is data encrypted in transit?TLS 1.2+ everywhere; HSTS with preload.

Yes

Is data encrypted at rest?Database, storage and backups encrypted at rest (AES-256).

Yes

Is customer data logically isolated between tenants?Postgres Row-Level Security across 100+ tables.

Yes

Is customer data resident in a specific region?European Union — AWS eu-west-1; no relocation outside the EU.

04Trust & Compliance Center

Application & Operational Security

Yes

Do you rate-limit authentication endpoints?Atomic, auth-aware, fail-closed limiter (per-account + per-IP).

Yes

Do you monitor for anomalous / abusive activity?Continuous anomaly detection every 5 min (alerting).

Yes

Do you have a vulnerability-disclosure policy?Coordinated-disclosure policy + security.txt (RFC 9116).

Planned

Do you run a bug-bounty programme?A VDP is published; a bounty programme is on the roadmap.

Planned

Do you commission independent penetration tests?Internal security reviews today; third-party pen-test on the roadmap.

Yes

Do you maintain an audit log of security events?Security-relevant events recorded to an append-only stream.

Partial

Do you support audit-log / SIEM export?Append-only audit stream today; records available on request. Self-service SIEM export is on the roadmap.

Yes

Do you follow a change-management process for production changes?Changes go through version control and review before release; database changes ship as reviewed migrations.

Partial

Do you follow a secure software development lifecycle (SDLC)?Code review, automated checks and dependency hygiene in place; a formally attested SDLC is part of the SOC 2 / ISO roadmap.

Partial

Do you have a documented incident-response process?Anomaly alerting and a defined breach-notification SLA are live; a fully documented IR runbook is being formalised alongside the SOC 2 programme.

05Trust & Compliance Center

Privacy & Data Rights

Yes

Do you support GDPR data-subject requests (access, export, erasure)?Self-service from in-app privacy settings.

Yes

Is a Data Processing Agreement available?DPA with SCCs available to every customer.

Yes

Is customer data deleted on contract termination?Deletion on request; defined retention windows.

Yes

Do you provide a data-deletion SLA / defined retention windows?Deletion honoured on request; each data type has a defined retention window, not indefinite storage.

Yes

Is your sub-processor list published?Published on this Trust Center with a subscribe-to-changes option.

06Trust & Compliance Center

AI Governance

Is customer data used to train your AI models?Never. Customer data is not used to train or fine-tune any AI model.

Yes

Is there human oversight of AI-assisted decisions?Club AI is assistive — a human always makes the hiring decision.

Yes

Are AI model sub-processors disclosed?Named in the sub-processor table with region and data terms.

Yes

Do you address EU AI Act obligations for hiring AI?Built for transparency, human oversight and against adverse impact (high-risk class).

07Trust & Compliance Center

Resilience & Continuity

Yes

Do you maintain encrypted backups?Backups encrypted at rest.

Yes

Do you have a defined breach-notification SLA?Within 72 hours of awareness (GDPR Art. 33/34).

Yes

Do you publish a real-time status page?status.thequantumclub.com — live component health + historical uptime.