How does Qtonic Quantum protect customer data during assessments?

Assessment data is protected in transit and at rest using approved controls for the engagement environment. Dedicated environments, boundary-controlled handling, and air-gapped or on-premise options are available when required by scope. Secure deletion can be documented as part of engagement closeout.

What compliance frameworks does Qtonic Quantum align with?

Qtonic Quantum aligns its assessment methodology with NIST PQC Standards (FIPS 203/204/205), NIST SP 800-57 Key Management, FIPS 140-3 Cryptographic Modules, inherited provider infrastructure controls audited under SOC 2 Type II and ISO 27001 programs, and PCI-DSS 4.0.1 cryptographic assessment requirements. We also provide CMMC preparation services for defense contractors.

What security clearances do Qtonic Quantum team members hold?

Qtonic Quantum maintains background-checked, NDA-bound personnel with segregation of duties across assessment phases. Prior clearance and leadership background details are provided during procurement review when required.

What documentation is available for procurement review?

Available for procurement review under mutual NDA: cloud provider SOC 2 Type II reports, Qtonic Quantum infrastructure security assessment summary, completed security questionnaires (SIG Lite, CAIQ, custom), sample Master Services Agreement (MSA), sample Statement of Work (SOW), and Certificate of Insurance.

Trust Center for methodology, controls, and procurement proof

Frameworks mapped and Zoho Corporation-held inherited controls

NIST mapped FIPS 203/204/205 mapped Zoho SOC 2 inherited Zoho ISO 27001 inherited CMMC preparation

Azure Marketplace procurement path

Methodology, control boundaries, anonymized artifacts, and procurement proof for teams evaluating Qtonic Quantum without public brand marks or disclosed commercial terms.

Security Practices

✓Assessment data protected in transit and at rest using approved controls for the engagement environment
✓Data retained per engagement contract terms, securely deleted upon completion
✓Dedicated assessment environments available for scoped enterprise engagements
✓Boundary-controlled handling defined in the engagement plan
✓Air-gapped assessment option available where the approved architecture requires it

Framework Alignment

✓NIST PQC Standards (FIPS 203/204/205 — ML-KEM, ML-DSA, SLH-DSA)
✓NIST SP 800-57 Key Management, FIPS 140-3 Cryptographic Modules
✓Inherited infrastructure controls from audited cloud providers (SOC 2 Type II, ISO 27001)
✓CMMC preparation services for defense supply chain
✓PCI-DSS 4.0.1 cryptographic assessment requirements

Personnel Security

✓Background-checked assessment teams
✓NDA-bound personnel on every engagement
✓Prior clearance and leadership background details provided during procurement review when required
✓Continuous security awareness training
✓Segregation of duties across assessment phases

Enterprise Authentication

✓Enterprise SSO integration planning available for approved deployments
✓Identity-provider compatibility reviewed during enterprise configuration (for example Okta, Azure AD, or Google Workspace)
✓Role-based access controls available for configured multi-user teams
✓Provisioning workflows supported for approved enterprise configurations
✓Contact our team to review identity architecture and deployment scope

Assessment Methodology

✓Standards-based: NIST SP 800-57, FIPS 140-3, NIST IR 8547
✓CVSS 3.1 vulnerability scoring with quantum-specific extensions
✓Automated cryptographic inventory (70 detection modules)
✓Analyst-reviewable validation of critical and high-risk findings
✓Public artifact language mapped to NIST CSF 2.0, CMMC 2.0, FIPS 203/204/205, and procurement-control families
✓Reproducible results with documented evidence chains

Data Handling

✓Assessment artifacts stored in encrypted, access-controlled repositories
✓Client data never used for training, marketing, or secondary purposes
✓Data residency: US-only option available
✓Secure deletion documentation available upon engagement close
✓Security events handled under documented incident-response procedures and contract-defined notification terms

Available for Procurement Review

✓Cloud provider SOC 2 reports (procurement review under mutual NDA)
✓Third-party infrastructure security assessment summary
✓Completed security questionnaire (SIG Lite, CAIQ, custom)
✓Sample Master Services Agreement (MSA)
✓Sample Statement of Work (SOW)
✓Certificate of Insurance

Penetration Testing

✓Last external assessment: Q1 2026
✓Next scheduled assessment: Q3 2026
✓Annual third-party penetration testing program
✓Findings tracked to closure with evidence

Architecture & Data Flow

The Qtonic Quantum platform is three governed stages: QScout identifies cryptographic debt, QStrike validates forward-threat exposure, and QSolve sequences remediation. Each stage produces signed, reproducible artifacts that the customer can verify independently.

Stage 1 · QScout
Scan → Evidence Bundle
Passive external collection produces a cryptographic inventory, HNDL exposure map, and CVSS-3.1 findings. Evidence is hashed and stored in access-controlled repositories.
Stage 2 · QStrike
Evidence Bundle → Signed Proof
Digital-twin validation and forward-threat demonstration generate a reproducible proof record. Every proof is canonicalized and signed by Talon before release.
Stage 3 · QSolve
Signed Proof → Customer Consumption
Customer receives signed proof artifacts, prioritized migration plan, and an evidence chain that is verifiable end-to-end without a return visit.

Data in transit: TLS 1.2+ for all customer-facing channels. Internal service-to-service traffic is authenticated and authorized per deployment architecture.
Data at rest: AES-256 encryption. Scan artifacts, evidence bundles, and signed proofs are stored in access-controlled repositories. Retention is contract-defined (default 90 days post-engagement).

Signed-Artifact Pipeline

Every QStrike proof is cryptographically signed before release. The customer — and any third party the customer shares the artifact with — can verify the signature independently using the published public key and evidence chain.

Signing scheme

ML-DSA-65 validation workflow (NIST FIPS 204) is implemented in Talon; public score-signing rollout remains staged.
Proof records are canonicalized before signing so the signed bytes match across machines, timezones, and runtimes.
Signature, public key identifier, and hash are included in every proof artifact so a downstream CISO can verify without contacting us.

What a customer can verify

Integrity: the proof has not been modified since signing.
Provenance: the proof was produced by the Qtonic Quantum platform with a key we control.
Reproducibility: the canonical input is recorded so the hash chain can be reconstructed from source evidence.

Key-rotation procedures, signing-key custody, and detailed cryptographic assurance documentation are available under NDA.

Threat Model

The Qtonic Quantum platform has a bounded, stated scope. This section is published so enterprise security teams can evaluate fit without a sales call.

In scope (what Qtonic Quantum protects against)

Harvest-now-decrypt-later (HNDL) exposure across external and approved internal cryptographic surface.
Credential- and certificate-related cryptographic debt (weak algorithms, deprecated TLS, static-key patterns).
Supply-chain cryptographic migration errors discovered by CBOM inventory.
PQC transition misconfigurations, including hybrid-suite errors and premature deprecation.

Out of scope (not covered by this platform)

Physical security of customer facilities.
Customer-side operating-system hardening and endpoint management.
Denial-of-service protection for customer infrastructure.
Non-cryptographic application vulnerabilities (injection, authorization, business-logic flaws) — these require a different class of tooling.

Security Posture (Live)

Security posture on this site is inspectable directly from your browser. The controls below are enforced in production and re-validated on every release through continuous brand-lint and CSP-drift CI gates.

HTTPS & HSTS: HSTS preload enforced. All HTTP requests redirect to HTTPS; TLS 1.2+ only.
Content Security Policy: CSP is generated from a single source of truth and verified on every commit. Drift is blocked at pre-commit.
Cross-Origin policies: COOP same-origin and CORP same-origin by default, with narrow carveouts documented in the CSP SSoT.
CSP reporting: Violations are reported to /api/csp-reports. Aggregated reports are reviewed on a scheduled cadence. Frame embedding is governed by CSP frame-ancestors; X-Frame-Options is not the source of truth for the press allowlist.

Continuous brand-lint and CSP-drift CI gates keep the published posture aligned with the source of truth across every deploy.

Governance & Diligence

Enterprise and regulated-industry buyers verify corporate identity, legal structure, and diligence readiness before purchase. Detailed registry credentials are shared during diligence rather than published on the public site.

Entity: Qtonic Quantum Corp — Florida C-corporation
Headquarters: Miami, FL
R&D: Be’er Sheva, Israel
Diligence readiness: Registration details and supporting documentation are available during mutual diligence.
Engagement artifacts: Security questionnaires and supporting evidence are shared in the buyer review lane.

Public Proof Standards

Public trust proof on this site stays deliberately narrow: no named organizations, no brand marks, no identifiable ranges, and no outcome claims that require a buyer to infer private source material.

Public-release rule

Buyer-reviewed references, controlled metrics, signed diligence artifacts, and commercial terms stay in the procurement lane. The public site publishes methodology, control boundaries, Azure Marketplace availability, and evidence-handling standards.

Methodology before metrics

Public pages can describe how evidence is produced, what control family it supports, and how artifacts are verified. Customer-specific ranges and names stay out of public circulation.

Sector framing without fingerprints

Sector examples may remain broad enough to preserve buying context, but they must not narrow to a unique customer, unique deployment, or a traceable operating profile.

Diligence lane for proof

Named references, signed outputs, questionnaire responses, and controlled ranges move through procurement review, not anonymous public page copy.

Azure Marketplace path

Azure Marketplace is a procurement route for governed QScout delivery. Public pages can link the path while private-offer terms remain outside public copy.

Alignment & Review

Detailed alignment references and review terms for buyers performing deeper diligence. These pages document scope, limitations, and access paths.

CNSA 2.0 Alignment

Algorithm suite mapping, migration timeline awareness, and scope limitations relative to NSA CNSA 2.0 guidance.

Security Questionnaire

Control mapping, DPA template, architecture overview, and penetration test summary for procurement diligence.

Independent Review Terms

Review scope, reviewer qualifications, exclusion boundaries, and current program status for independent methodology assessment.

Compliance & Attestations

Attestation documents, platform-control matrices, standards mappings, and program status are available on request under mutual NDA. Selected provider-backed infrastructure certifications and the Azure Marketplace procurement path are listed for buyer review.

Email compliance@qtonicquantum.com Contact form

Certifications & Attestations

Current and in-progress security certifications, inherited-control boundaries, and compliance attestations used during enterprise diligence.

SOC 2 Type II: In progress (target Q4 2026)
ISO 27001: Inherited via cloud provider; dedicated organizational certification planned post-SOC 2.
PCI-DSS: Assessment methodology aligned with PCI-DSS 4.0.1 cryptographic requirements.
CMMC: Preparation services available; deliverables map to NIST 800-171 and applicable NIST 800-53 controls.

Data Handling & Retention

How scan data is protected, stored, and deleted.

Encryption at rest: AES-256. All scan artifacts, evidence bundles, and signed proofs are stored in encrypted, access-controlled repositories.
Encryption in transit: TLS 1.2+ for all customer-facing channels. Internal service-to-service traffic is authenticated per deployment architecture.
Retention — L0: 90 days from scan completion, then securely deleted.
Retention — L2 / L3: 1 year default, extendable per contract terms. Secure deletion confirmation available on request.

Subprocessors

Third-party services that may process customer data as part of Qtonic Quantum operations.

✓Resend — Email delivery infrastructure (transactional and marketing emails).
✓Upstash — Serverless Redis for rate limiting, OTP storage, and session state.
✓Microsoft Azure — Cloud compute, storage, and marketplace hosting for approved deployments.

Subprocessor list updated quarterly. Notify us at trust@qtonicquantum.com for change notifications.

Data Processing Agreement

Standard contractual terms for data protection are available for review and execution.

Request DPA Template Request executed DPA

The DPA template is provided for qualified pre-sales review. An executed DPA is available for scoped engagements where data-processing terms apply.

Vulnerability Disclosure Program

We welcome responsible disclosure of security vulnerabilities.

Report vulnerabilities to:

security@qtonicquantum.com

48-hour acknowledgment
5 business day resolution timeline for critical issues
Safe harbor for good-faith research

Procurement Packet

The procurement packet separates public diligence on the Qtonic Quantum platform, scoring methodology, and validation infrastructure from procurement-review artifacts and inherited provider controls. Public materials are available now. Review-only materials are provided during scoping and procurement review under mutual NDA when required.

Open procurement packet

Security, Compliance & Trust

Qtonic Quantum protects the organizations that protect everyone else. We hold ourselves to the same standard we set for our clients.

Deployment Model

✓Zoho Cloud: Full Zoho One infrastructure with inherited compliance certifications. Default for most engagements.
✓Microsoft Azure: Azure Marketplace-hosted deployment for clients requiring Microsoft ecosystem alignment.
✓Client Environment: On-premises or client-controlled cloud deployment for scopes that require customer-managed boundaries.

Migration and export support are available subject to contract terms, security review, and deployment architecture constraints.

Data Handling

✓All data encrypted in transit (TLS 1.2+) and at rest (AES-256).
✓QScout scan results, cryptographic findings, and CBOMs are client-owned. Data-handling roles are defined by contract, deployment model, and the engagement data flow.
✓QStrike demonstrations use client-approved test vectors only. No production secrets enter the demonstration runtime.
✓Default retention: 90 days post-engagement with secure deletion confirmation.

Personnel & Operations

✓CTO David Cohen: IDF cybersecurity operations background with nation-state threat experience.
✓Executive leadership: Nation-state cyberattack response experience and external technology council participation.
✓R&D in Israel; registration details are shared during diligence when required.

Responsible Disclosure

Report security vulnerabilities to:

security@qtonicquantum.com

48-hour acknowledgment. 5 business day resolution timeline.

Request Documentation

Compliance certificates, DPA, and shared responsibility matrix available on request:

trust@qtonicquantum.com

Cloud Infrastructure Certifications

Qtonic Quantum relies on provider-held SOC 2 Type II and ISO 27001 certifications for inherited controls. The certifications below are held by the cloud provider and complement, rather than replace, Qtonic Quantum's own customer-engagement controls.

SOC Reports

SOC 1 Type II
SOC 2 Type II
SOC 2 + HIPAA

ISO 27000 Series

ISO 27001 (Information Security)
ISO 27017 (Cloud Security)
ISO 27018 (PII Protection)
ISO 27701 (Privacy Management)

Quality & Continuity

ISO 9001 (Quality Management)
ISO 9001 + WCAG (Accessibility)
ISO 22301 (Business Continuity)
GoBD (German Tax Compliance)
CST (Cloud Security Trust)

Marketplace Verification

Azure Marketplace: procurement route for scoped QScout delivery
Source: Qtonic Quantum (direct)

Certificates are issued to Zoho Corporation. Qtonic Quantum inherits these controls as a customer of Zoho's audited cloud platform.

Need Compliance Documentation?

SOC 2 reports, security questionnaire responses, and sample agreements available under mutual NDA during engagement scoping.

Open Procurement Packet

Trust Center for methodology, controls, and procurement proof

Frameworks mapped and Zoho Corporation-held inherited controls

NIST mapped FIPS 203/204/205 mapped Zoho SOC 2 inherited Zoho ISO 27001 inherited CMMC preparation

Azure Marketplace procurement path

Methodology, control boundaries, anonymized artifacts, and procurement proof for teams evaluating Qtonic Quantum without public brand marks or disclosed commercial terms.

Trust at a glance

Three procurement-relevant facts a buyer can verify without a sales call. Every claim links to an in-product source on this page.

SOC 2 boundary

Company-held attestation not claimed

Zoho Cloud SOC 2 and ISO assurance is inherited vendor evidence. It is not a Qtonic Quantum, QScout, or QStrike attestation.

Open buyer proof page

Live platform signal

Public health endpoints

Buyers can probe platform liveness without an account. We do not publish a synthetic uptime percentage until the measurement window is auditor-attested.

Lab proof health: /api/lab/health QStrike health: /api/qstrike/health

Proof signing key

qtonic-lab-proof-key-2026-03-05

Active Ed25519 public key used to sign Lab proof artifacts. Verify the published key material directly.

/.well-known/lab-proof-keys.json

Live trust feed

Public endpoints buyers can probe without an account. Each returns JSON describing proof freshness, liveness, or signed-artifact state.

Lab proof health

Latest signed proof bundle, signing key, artifact hashes, and freshness window.

/api/lab/health Lab methodology→

QStrike platform health

QStrike service liveness and last published proof timestamp.

/api/qstrike/health QStrike overview→

QScout assessment health

Public assessment health and backend proof contract for the QScout buyer flow.

/api/qscout/health QScout verification→

Demo funnel health

Public demonstration-route proof for the buyer entry surface and canonical demo target.

/api/demo/health Demo entry→

Security Practices

✓Assessment data protected in transit and at rest using approved controls for the engagement environment
✓Data retained per engagement contract terms, securely deleted upon completion
✓Dedicated assessment environments available for scoped enterprise engagements
✓Boundary-controlled handling defined in the engagement plan
✓Air-gapped assessment option available where the approved architecture requires it

Framework Alignment

✓NIST PQC Standards (FIPS 203/204/205 — ML-KEM, ML-DSA, SLH-DSA)
✓NIST SP 800-57 Key Management, FIPS 140-3 Cryptographic Modules
✓Inherited infrastructure controls from audited cloud providers (SOC 2 Type II, ISO 27001)
✓CMMC preparation services for defense supply chain
✓PCI-DSS 4.0.1 cryptographic assessment requirements

Personnel Security

✓Background-checked assessment teams
✓NDA-bound personnel on every engagement
✓Prior clearance and leadership background details provided during procurement review when required
✓Continuous security awareness training
✓Segregation of duties across assessment phases

Enterprise Authentication

✓Enterprise SSO integration planning available for approved deployments
✓Identity-provider compatibility reviewed during enterprise configuration (for example Okta, Azure AD, or Google Workspace)
✓Role-based access controls available for configured multi-user teams
✓Provisioning workflows supported for approved enterprise configurations
✓Contact our team to review identity architecture and deployment scope

Assessment Methodology

✓Standards-based: NIST SP 800-57, FIPS 140-3, NIST IR 8547
✓CVSS 3.1 vulnerability scoring with quantum-specific extensions
✓Automated cryptographic inventory (70 detection modules)
✓Analyst-reviewable validation of critical and high-risk findings
✓Public artifact language mapped to NIST CSF 2.0, CMMC 2.0, FIPS 203/204/205, and procurement-control families
✓Reproducible results with documented evidence chains

Data Handling

✓Assessment artifacts stored in encrypted, access-controlled repositories
✓Client data never used for training, marketing, or secondary purposes
✓Data residency: US-only option available
✓Secure deletion documentation available upon engagement close
✓Security events handled under documented incident-response procedures and contract-defined notification terms

Available for Procurement Review

✓Cloud provider SOC 2 reports (procurement review under mutual NDA)
✓Third-party infrastructure security assessment summary
✓Completed security questionnaire (SIG Lite, CAIQ, custom)
✓Sample Master Services Agreement (MSA)
✓Sample Statement of Work (SOW)
✓Certificate of Insurance

Penetration Testing

✓Last external assessment: Q1 2026
✓Next scheduled assessment: Q3 2026
✓Annual third-party penetration testing program
✓Findings tracked to closure with evidence

Architecture & Data Flow

Stage 1 · QScout
Scan → Evidence Bundle
Passive external collection produces a cryptographic inventory, HNDL exposure map, and CVSS-3.1 findings. Evidence is hashed and stored in access-controlled repositories.
Stage 2 · QStrike
Evidence Bundle → Signed Proof
Digital-twin validation and forward-threat demonstration generate a reproducible proof record. Every proof is canonicalized and signed by Talon before release.
Stage 3 · QSolve
Signed Proof → Customer Consumption
Customer receives signed proof artifacts, prioritized migration plan, and an evidence chain that is verifiable end-to-end without a return visit.

Data in transit: TLS 1.2+ for all customer-facing channels. Internal service-to-service traffic is authenticated and authorized per deployment architecture.
Data at rest: AES-256 encryption. Scan artifacts, evidence bundles, and signed proofs are stored in access-controlled repositories. Retention is contract-defined (default 90 days post-engagement).

Signed-Artifact Pipeline

Signing scheme

ML-DSA-65 validation workflow (NIST FIPS 204) is implemented in Talon; public score-signing rollout remains staged.
Proof records are canonicalized before signing so the signed bytes match across machines, timezones, and runtimes.
Signature, public key identifier, and hash are included in every proof artifact so a downstream CISO can verify without contacting us.

What a customer can verify

Integrity: the proof has not been modified since signing.
Provenance: the proof was produced by the Qtonic Quantum platform with a key we control.
Reproducibility: the canonical input is recorded so the hash chain can be reconstructed from source evidence.

Key-rotation procedures, signing-key custody, and detailed cryptographic assurance documentation are available under NDA.

Threat Model

The Qtonic Quantum platform has a bounded, stated scope. This section is published so enterprise security teams can evaluate fit without a sales call.

In scope (what Qtonic Quantum protects against)

Harvest-now-decrypt-later (HNDL) exposure across external and approved internal cryptographic surface.
Credential- and certificate-related cryptographic debt (weak algorithms, deprecated TLS, static-key patterns).
Supply-chain cryptographic migration errors discovered by CBOM inventory.
PQC transition misconfigurations, including hybrid-suite errors and premature deprecation.

Out of scope (not covered by this platform)

Physical security of customer facilities.
Customer-side operating-system hardening and endpoint management.
Denial-of-service protection for customer infrastructure.
Non-cryptographic application vulnerabilities (injection, authorization, business-logic flaws) — these require a different class of tooling.

Security Posture (Live)

HTTPS & HSTS: HSTS preload enforced. All HTTP requests redirect to HTTPS; TLS 1.2+ only.
Content Security Policy: CSP is generated from a single source of truth and verified on every commit. Drift is blocked at pre-commit.
Cross-Origin policies: COOP same-origin and CORP same-origin by default, with narrow carveouts documented in the CSP SSoT.
CSP reporting: Violations are reported to /api/csp-reports. Aggregated reports are reviewed on a scheduled cadence. Frame embedding is governed by CSP frame-ancestors; X-Frame-Options is not the source of truth for the press allowlist.

Continuous brand-lint and CSP-drift CI gates keep the published posture aligned with the source of truth across every deploy.

Leadership Credibility

Our leadership team brings operational experience from the NSA, CISA, USAF Global Strike Command, CIA, DIA, Intel, JPMorgan Chase, Microsoft, and Bank of America. Full roster, backgrounds, and credentials on the leadership page.

Credibility signals reflect prior public-sector or enterprise roles. Current affiliations and full credentials are listed on the leadership page.

Governance & Diligence

Entity: Qtonic Quantum Corp — Florida C-corporation
Headquarters: Miami, FL
R&D: Be’er Sheva, Israel
Diligence readiness: Registration details and supporting documentation are available during mutual diligence.
Engagement artifacts: Security questionnaires and supporting evidence are shared in the buyer review lane.

Public Proof Standards

Public trust proof on this site stays deliberately narrow: no named organizations, no brand marks, no identifiable ranges, and no outcome claims that require a buyer to infer private source material.

Public-release rule

Methodology before metrics

Public pages can describe how evidence is produced, what control family it supports, and how artifacts are verified. Customer-specific ranges and names stay out of public circulation.

Sector framing without fingerprints

Sector examples may remain broad enough to preserve buying context, but they must not narrow to a unique customer, unique deployment, or a traceable operating profile.

Diligence lane for proof

Named references, signed outputs, questionnaire responses, and controlled ranges move through procurement review, not anonymous public page copy.

Azure Marketplace path

Azure Marketplace is a procurement route for governed QScout delivery. Public pages can link the path while private-offer terms remain outside public copy.

Alignment & Review

Detailed alignment references and review terms for buyers performing deeper diligence. These pages document scope, limitations, and access paths.

CNSA 2.0 Alignment

Algorithm suite mapping, migration timeline awareness, and scope limitations relative to NSA CNSA 2.0 guidance.

Security Questionnaire

Control mapping, DPA template, architecture overview, and penetration test summary for procurement diligence.

Independent Review Terms

Review scope, reviewer qualifications, exclusion boundaries, and current program status for independent methodology assessment.

Compliance & Attestations

Email compliance@qtonicquantum.com Contact form

Certifications & Attestations

Current and in-progress security certifications, inherited-control boundaries, and compliance attestations used during enterprise diligence.

SOC 2 Type II: In progress (target Q4 2026)
ISO 27001: Inherited via cloud provider; dedicated organizational certification planned post-SOC 2.
PCI-DSS: Assessment methodology aligned with PCI-DSS 4.0.1 cryptographic requirements.
CMMC: Preparation services available; deliverables map to NIST 800-171 and applicable NIST 800-53 controls.

Data Handling & Retention

How scan data is protected, stored, and deleted.

Encryption at rest: AES-256. All scan artifacts, evidence bundles, and signed proofs are stored in encrypted, access-controlled repositories.
Encryption in transit: TLS 1.2+ for all customer-facing channels. Internal service-to-service traffic is authenticated per deployment architecture.
Retention — L0: 90 days from scan completion, then securely deleted.
Retention — L2 / L3: 1 year default, extendable per contract terms. Secure deletion confirmation available on request.

Subprocessors

Third-party services that may process customer data as part of Qtonic Quantum operations.

✓Resend — Email delivery infrastructure (transactional and marketing emails).
✓Upstash — Serverless Redis for rate limiting, OTP storage, and session state.
✓Microsoft Azure — Cloud compute, storage, and marketplace hosting for approved deployments.

Subprocessor list updated quarterly. Notify us at trust@qtonicquantum.com for change notifications.

Data Processing Agreement

Standard contractual terms for data protection are available for review and execution.

Request DPA Template Request executed DPA

The DPA template is provided for qualified pre-sales review. An executed DPA is available for scoped engagements where data-processing terms apply.

Vulnerability Disclosure Program

We welcome responsible disclosure of security vulnerabilities.

Report vulnerabilities to:

security@qtonicquantum.com

48-hour acknowledgment
5 business day resolution timeline for critical issues
Safe harbor for good-faith research

Procurement Packet

Open procurement packet

Security, Compliance & Trust

Qtonic Quantum protects the organizations that protect everyone else. We hold ourselves to the same standard we set for our clients.

Deployment Model

✓Zoho Cloud: Full Zoho One infrastructure with inherited compliance certifications. Default for most engagements.
✓Microsoft Azure: Azure Marketplace-hosted deployment for clients requiring Microsoft ecosystem alignment.
✓Client Environment: On-premises or client-controlled cloud deployment for scopes that require customer-managed boundaries.

Migration and export support are available subject to contract terms, security review, and deployment architecture constraints.

Data Handling

✓All data encrypted in transit (TLS 1.2+) and at rest (AES-256).
✓QScout scan results, cryptographic findings, and CBOMs are client-owned. Data-handling roles are defined by contract, deployment model, and the engagement data flow.
✓QStrike demonstrations use client-approved test vectors only. No production secrets enter the demonstration runtime.
✓Default retention: 90 days post-engagement with secure deletion confirmation.

Personnel & Operations

✓CTO David Cohen: IDF cybersecurity operations background with nation-state threat experience.
✓Executive leadership: Nation-state cyberattack response experience and external technology council participation.
✓R&D in Israel; registration details are shared during diligence when required.

Responsible Disclosure

Report security vulnerabilities to:

security@qtonicquantum.com

48-hour acknowledgment. 5 business day resolution timeline.

Request Documentation

Compliance certificates, DPA, and shared responsibility matrix available on request:

trust@qtonicquantum.com

Cloud Infrastructure Certifications

SOC Reports

SOC 1 Type II
SOC 2 Type II
SOC 2 + HIPAA

ISO 27000 Series

ISO 27001 (Information Security)
ISO 27017 (Cloud Security)
ISO 27018 (PII Protection)
ISO 27701 (Privacy Management)

Quality & Continuity

ISO 9001 (Quality Management)
ISO 9001 + WCAG (Accessibility)
ISO 22301 (Business Continuity)
GoBD (German Tax Compliance)
CST (Cloud Security Trust)

Marketplace Verification

Azure Marketplace: procurement route for scoped QScout delivery
Source: Qtonic Quantum (direct)

Certificates are issued to Zoho Corporation. Qtonic Quantum inherits these controls as a customer of Zoho's audited cloud platform.

Need Compliance Documentation?

SOC 2 reports, security questionnaire responses, and sample agreements available under mutual NDA during engagement scoping.

Open Procurement Packet

Proof And Governance

See the controls behind the certified registry

The lab tells you which solutions cleared the public bar. Trust explains the governance, documentation, control inheritance, and review posture behind that public claim so procurement and security leadership can validate it.

Review Trust Controls Back to the lab

Stay In The Journey

Lab Overview

Certified registry entry point

Certified Leaderboard

Public ranking only for strict-verified solutions

Methodology

Scoring, evidence, and publication rules

Coverage And Queue

Certified pool vs research backlog