Security First
Technical and organisational measures protecting your data under LGPD Art. 46 and GDPR Art. 32. Last reviewed: 20 June 2026
Our commitment to security
1. Scope and Legal Basis
This security policy describes the technical and organisational measures (TOMs) Quantivus implements to protect personal data and information assets. These measures comply with Art. 46 LGPD, Art. 32 GDPR and ISO/IEC 27001 control objectives. The policy applies to all data processed by Quantivus in connection with the website, products and services.
2. Infrastructure Security
All systems run on hardened Linux infrastructure with automated security patching, configuration management (CIS benchmarks), host based intrusion detection (HIDS), network based intrusion detection (NIDS), DDoS protection at the edge, and 24/7 monitoring. Infrastructure is logically segmented into production, staging and corporate networks with strict zero-trust east-west controls.
3. Encryption (in transit and at rest)
All data in transit uses TLS 1.3 with strong cipher suites (HSTS enabled, TLS 1.0/1.1 disabled). Data at rest is encrypted with AES-256-GCM. Database backups are encrypted with envelope encryption. Encryption keys are rotated at least quarterly and stored in a FIPS 140-2 Level 3 Hardware Security Module (HSM) where available.
4. Access Control
Zero-trust architecture. All access requires multi-factor authentication (TOTP or hardware key). Role based access control (RBAC) with the principle of least privilege. Privileged access is brokered through a PAM solution with session recording. All administrative actions are logged and reviewed quarterly.
5. Security Audits and Penetration Testing
Independent third-party penetration tests at least annually. Quarterly internal red team exercises. Continuous automated vulnerability scanning of all public facing assets. Quarterly code reviews with security focus on critical changes. SOC 2 Type II audit (in progress, expected Q4 2026). All findings tracked in a central register with remediation SLAs.
6. Logging, Monitoring and SIEM
Centralised logging with 12 month hot retention and 24 month cold retention. SIEM with correlation rules, anomaly detection and automated alerting. Tamper-evident audit trail. 24/7 security operations centre (SOC). Alerts triaged within 15 minutes; critical incidents escalated within 5 minutes.
7. Incident Response
Documented incident response plan aligned with NIST SP 800-61. Six phases (preparation, identification, containment, eradication, recovery, lessons learned). Tabletop exercises every six months. In case of a personal data breach affecting you, we will notify the ANPD within 2 business days (LGPD Art. 48) and you within 72 hours where required by GDPR Art. 33-34.
8. Secure Software Development Lifecycle
SAST, DAST and SCA on every release. Mandatory peer review for all production code. Threat modelling for new features. Secrets managed exclusively through a vault (no secrets in code or environment files). Pre-commit secret scanning. Container images scanned for vulnerabilities. SBOM generated for every release.
9. Vendor and Third Party Risk Management
All third party processors undergo security and privacy due diligence before onboarding, including review of their LGPD / GDPR compliance, certifications, incident history and sub-processors. Data Processing Agreements in place with every processor. Annual reassessment of all critical vendors.
10. Staff Training and Awareness
All employees and contractors undergo mandatory security and privacy training upon hire and annually thereafter. Phishing simulations every quarter. Secure coding training for engineers. Role-based additional training for personnel with privileged access.
11. Physical and Environmental Security
Cloud infrastructure hosted in Tier III+ data centres with 24/7 on-site security, biometric access, CCTV, redundant power and cooling. Office premises with controlled access. Clean desk policy. Secure destruction of physical media.
12. Business Continuity and Disaster Recovery
Backups tested monthly (recovery drills). Recovery Time Objective (RTO) of 4 hours and Recovery Point Objective (RPO) of 1 hour for production services. Disaster recovery site in a different geographic region. Annual full DR exercise.
13. Responsible Vulnerability Disclosure
We welcome security research and responsible disclosure. Please report vulnerabilities to security@quantivus.com with technical details and a proof of concept. Our PGP key fingerprint is published at https://quantivus.io/.well-known/security.txt. We commit to acknowledge your report within 3 business days, provide a status update within 10 business days, and credit researchers (with your consent) in our Hall of Fame. We will not pursue legal action against researchers who act in good faith and comply with our disclosure policy.
14. Contact
Security incidents and disclosure: security@quantivus.com (PGP available). General privacy: dpo@quantivus.io. We aim to respond to security reports within 3 business days.
Security researchers welcome
We value the security research community. Responsible disclosure is rewarded with acknowledgment and potential bounties.