Security and data control

Analysis data is stored on MongoDB Atlas, Milan region (eu-south-1), within the European Economic Area. Encryption at rest, a 3-node replica set for high availability, continuous automated backup with point-in-time recovery. Processing runs on EU West (Amsterdam) infrastructure. No data crosses non-EU borders.

Each customer operates in a logically isolated space. One organization's analyses, evidence packs, and logs are never accessible to another.

Enterprise plan: BYOC (Bring Your Own Cloud) on roadmap H2 2026 — analyses executed within the customer's own cloud, with full control over data residency and access.

Proof

• Milan · eu-south-1
• Encryption at rest
• Multi-tenant isolation

SHA-256 append-only: every Evidence Pack is cryptographically signed at creation. No retroactive change is possible — any later alteration is detectable.

RFC 3161 TSA (Enterprise): Trusted Timestamping with a certified external timestamp authority. The timestamp is verifiable by third-party auditors with no dependency on Quvant. In implementation, available Q3 2026.

Proof

• Vault SHA-256
• Append-only audit trail
• Tamper-evidence

• GDPR: no personal data required to operate the service (no personal data by design).
• The underlying MongoDB Atlas infrastructure is SOC 2 and ISO 27001 certified.
• Quvant SOC 2 Type II certification: on roadmap H2 2026.
• Quvant ISO 27001 certification: under evaluation.

Proof

• GDPR · no personal data
• Atlas SOC 2 · ISO 27001

• Passwordless access via single-use magic link, valid 15 minutes.
• SSO/SAML for the Enterprise plan: in implementation Q3 2026.
• Optional 2FA on the Professional plan, mandatory on the Enterprise plan.

Proof

• Single-use magic link
• 2FA on Professional/Enterprise
• SSO/SAML — Q3 2026