Start free

Security Policy

Version: 3092fe06Updated: May 2, 2026.

Security Policy

DRAFT — pending legal review. This document will be replaced with finalized legal copy from QuantumMind's counsel before public launch.

1. Encryption Standards

Data is encrypted in transit and at rest:

  • In transit: TLS 1.2 or higher for all client-server communication. HSTS enabled.
  • At rest: database storage uses provider-managed encryption (AES-256 for PostgreSQL volumes).
  • Sensitive credentials: third-party integration credentials (Stripe, SendGrid, etc.) are stored in the database using authenticated AES-256-GCM encryption with a master key managed in AWS Parameter Store. Plaintext is never logged.
  • Passwords: stored as bcrypt hashes with a cost factor of 12 (configurable). Plaintext passwords are never stored, transmitted internally, or logged.

2. Access Controls

Access to production systems is restricted by role and audited:

  • Authentication: JWT cookies with HttpOnly, Secure (in production), SameSite=Lax flags. Session expiry is 24 hours by default.
  • Authorization: role-based (USER vs ADMIN) and access-level-based (AUDIT, REPORT, SUBSCRIPTION_*) checks at the API layer.
  • Administrative actions: gated by RolesGuard at the controller level; all administrative changes (integration credential updates, etc.) write to an immutable audit log.
  • Internal access: production data is accessible only to a small number of engineering staff under explicit need-to-know, with all access events logged.

3. Vulnerability Management

We maintain a security posture appropriate to a B2B SaaS:

  • Dependencies are scanned for known vulnerabilities through standard tooling (e.g., npm audit, Snyk, Dependabot).
  • Critical and high-severity vulnerabilities are triaged within 48 hours of disclosure.
  • Production releases pass a CI pipeline that includes static analysis, type checking, and a comprehensive automated test suite.
  • We disable verbose error responses and remove X-Powered-By headers in production.

4. Incident Response

We maintain an incident-response process covering:

  • Detection (alerting on anomalous events; audit-log review).
  • Containment (revoke compromised credentials, isolate affected systems).
  • Eradication (root-cause analysis, patching).
  • Recovery (restore service from clean backups if needed).
  • Notification (in line with our Data Policy, Section 5).
  • Post-mortem (documented and reviewed internally; remediation tracked).

5. Compliance and Certifications

QuantumMind is committed to building toward formal certifications appropriate to our customer base. As of this writing we are in the pre-certification phase; specific certifications and audit reports will be listed here once obtained:

  • SOC 2 Type II (planned)
  • GDPR / UK GDPR alignment (in progress)
  • CCPA alignment (in progress)

6. Reporting Security Issues

If you discover a security issue, please report it to:

  • Email: security@quantummind.example (placeholder)
  • PGP key: pending publication

We commit to:

  • Acknowledging your report within 2 business days.
  • Investigating and providing a status update within 7 business days.
  • Coordinating disclosure responsibly; we will credit reporters in our advisories where you wish to be credited.

We will not pursue legal action against researchers who:

  • Make a good-faith effort to avoid privacy violations, destruction of data, and disruption of service.
  • Report findings only to us, before public disclosure, and give us a reasonable window to remediate.

Last updated: May 2, 2026.