Quandry®
Book discovery →
Trust & Security

Security Practices

Security is not a feature we bolt on — it is the foundation everything else is built on. As a company that integrates with our clients' most sensitive security infrastructure, we hold ourselves to the highest standard.

Last updated: April 20, 2026

Security Philosophy

We operate on a simple principle: we never ask for access we wouldn't grant ourselves. Every system we touch, every integration we build, every piece of data we process is treated with the same rigor we apply to our own critical infrastructure.

Our security program is built on three pillars:

  • Zero trust architecture — no implicit trust, verify every request, enforce least privilege at every layer
  • Defense in depth — layered controls so that no single failure compromises the whole
  • Continuous validation — automated testing, regular audits, and adversarial assessments of our own systems

Framework Alignment

We align our security controls with recognized industry frameworks. Our security program is designed from the ground up to meet these standards as we scale:

COMPLIANCE INFRASTRUCTURE DATA PROTECTION Q
Aligned
SOC 2 Type 2

Trust service criteria: security, availability, confidentiality. Controls designed and implemented in alignment with AICPA standards.

Aligned
ISO 27001

Information security management system. Organizational and technical controls mapped to Annex A requirements.

Aligned
NIST CSF

NIST Cybersecurity Framework. Identify, Protect, Detect, Respond, Recover — our program maps to all five core functions.

Aligned
GDPR

EU General Data Protection Regulation. Data processing agreements, data subject rights, and international transfer safeguards in place.

Data Protection

We implement comprehensive technical and organizational measures to protect data throughout its lifecycle:

Encryption at Rest

AES-256 encryption for all stored data. Keys managed via dedicated KMS with automatic rotation.

Encryption in Transit

TLS 1.3 enforced for all communications. No exceptions for internal service-to-service traffic.

Access Controls

Role-based access with least-privilege enforcement. Just-in-time access for production systems.

Multi-Factor Authentication

Hardware security keys required for all personnel. Phishing-resistant FIDO2/WebAuthn enforcement.

Audit Logging

Immutable audit trails for all access and modifications. Centralized SIEM with real-time alerting.

Backup & Recovery

Encrypted backups with geographic redundancy. Tested recovery procedures with documented RTOs.

Infrastructure Security

Cloud architecture

  • Multi-region deployment with automatic failover
  • Infrastructure as Code (IaC) with security policy enforcement at deployment
  • Immutable infrastructure — no manual changes to production systems
  • Container security scanning and runtime protection

Network segmentation

  • Microsegmentation between all workloads
  • Zero-trust network access (ZTNA) — no VPN, no network-level trust
  • Web Application Firewall (WAF) with custom rulesets
  • DDoS protection at the edge

Vulnerability management

  • Continuous vulnerability scanning across all assets
  • Critical/high vulnerabilities patched within 24/72 hours respectively
  • Annual third-party penetration testing
  • Bug bounty program for responsible disclosure

Personnel Security

  • Background checks — comprehensive screening for all personnel with system access
  • Security training — mandatory onboarding training and quarterly refreshers covering phishing, social engineering, data handling, and incident reporting
  • Least-privilege access — access granted only for the duration and scope of assigned work. Reviewed quarterly.
  • Clean desk / clean screen — enforced policies for physical and digital workspace security
  • Offboarding — immediate access revocation upon termination. Hardware return within 48 hours.
  • NDA and confidentiality — all personnel bound by confidentiality agreements covering client data

Incident Response

We maintain a documented incident response plan that is tested and updated regularly:

  • Detection — 24/7 monitoring with automated alerting for anomalous activity
  • Classification — severity-based triage within 15 minutes of detection
  • Containment — immediate isolation of affected systems to prevent lateral movement
  • Notification — affected clients notified within 72 hours of confirmed breach (sooner for critical incidents)
  • Eradication & recovery — root cause analysis, remediation, and verified restoration
  • Post-incident — blameless retrospective, process improvements, and client communication

Communication procedures

During an active incident, affected clients receive:

  • Initial notification within 72 hours of confirmation
  • Regular status updates every 24 hours (or as warranted by severity)
  • Final incident report within 30 days of resolution
  • Dedicated point of contact for questions and coordination

Vendor Management

We apply the same rigor to our supply chain that we apply to our own operations:

  • Risk assessment — security evaluation before onboarding any third-party service
  • Contractual requirements — data processing agreements, security SLAs, and breach notification obligations
  • Ongoing monitoring — annual re-assessment of vendor security posture
  • Concentration risk — avoiding single points of failure in our vendor ecosystem
  • Sub-processor transparency — maintained list of sub-processors available upon request

Contact & Reporting

Have security questions?

We take security seriously and welcome inquiries about our practices. Reach out to discuss our controls, request documentation, or report a concern.

Get in touch → View our DPA

Security questions or vulnerability reports?

For security inquiries, vulnerability disclosures, or questions about our practices, reach out to our security team.

[email protected]