Trust & Safety

Security

Last updated: June 2026

Security is foundational to what we do. Our APIs process biometric data on behalf of our customers — that responsibility demands rigorous, layered security controls across our infrastructure, code, and processes.

Encryption everywhere

All data in transit is encrypted with TLS 1.2 or higher. API keys are stored as HMAC-SHA256 hashes — never in plaintext. Backup data is AES-256 encrypted at rest.

Controlled data handling

Images submitted to production API endpoints may be retained for up to 30 days for operational logging and quality assurance, in isolated, access-controlled storage, then automatically deleted. Demo images are retained for up to 7 days. Processing pipelines run in isolated containers.

Access controls

Production access is restricted to authorised personnel with MFA enforced. Role-based access control (RBAC) is applied to all internal systems. Access is reviewed quarterly.

Vendor management

All sub-processors are assessed against our security requirements before onboarding. Data processing agreements are in place with all vendors who handle personal data.

Monitoring and alerting

Our infrastructure is monitored 24/7 with automated alerting for anomalous API patterns, authentication failures, and infrastructure events. Incidents are triaged within 1 hour by on-call personnel.

Security testing

We conduct annual penetration tests with independent third-party security firms. Most recent test: Q1 2026. Findings are remediated on a risk-prioritised timeline; critical findings within 72 hours.

Infrastructure

Our APIs run on European Union cloud infrastructure. Key controls include:

  • Private VPC with no direct public internet access to internal services
  • WAF (Web Application Firewall) protecting all public endpoints
  • DDoS mitigation active at the network edge
  • Automated vulnerability scanning of dependencies on every deploy
  • Infrastructure-as-code with reviewed, version-controlled configuration

API Security

  • Production API endpoints require a valid API key in the X-API-Key header. Public demo endpoints are unauthenticated but rate-limited per IP.
  • API keys can be rotated at any time from your dashboard
  • Per-key and per-IP rate limiting enforced at the network edge
  • Request payloads are validated and size-limited to prevent injection and resource exhaustion
  • Responses include standard security headers (HSTS, CSP, X-Content-Type-Options)

Data Handling

We apply a data minimisation principle throughout our systems:

  • Images submitted to production endpoints are retained for up to 30 days in isolated, access-controlled storage for operational debugging and quality assurance, then automatically deleted
  • Demo images are retained for up to 7 days, then automatically deleted
  • Face embeddings are transient — computed during processing and not persisted
  • API request logs contain only metadata (endpoint, timestamp, IP hash, response code) — never raw image data
  • Logs are automatically purged after 90 days
  • No biometric databases are built from API submissions; images are never used for model training

Responsible Disclosure

We operate a responsible disclosure programme. If you discover a security vulnerability in our Services, please report it to us confidentially. We consider in-scope: quantilence.com, our public API endpoints, and our published mobile or SDK integrations. Out of scope: third-party services, social engineering, and physical security.

Security contact

security@quantilence.com

We acknowledge reports within 24 hours, provide a triage update within 5 business days, and aim to resolve critical findings within 72 hours of confirmation. We will not pursue legal action against researchers who act in good faith, do not access user data beyond what is needed to demonstrate the vulnerability, and follow coordinated disclosure by notifying us before public disclosure.

Compliance

Our security programme is designed around recognised frameworks and regulations:

  • GDPR — data processing agreements, privacy-by-design, 72-hour breach notification procedures
  • ISO 27001 — information security management controls
  • OWASP Top 10 — addressed in our secure development lifecycle

For compliance documentation or security questionnaires, email security@quantilence.com.