Security Policy

01 Data Hosting and Compliance

All client data is hosted on secure, enterprise-grade cloud infrastructure provided by our certified technology partners. Our hosting and data handling practices are designed to meet the regulatory requirements of the United Arab Emirates, the European Union (GDPR), and the Kingdom of Saudi Arabia.

For clients operating within KSA, we offer sovereign data infrastructure that ensures complete data residency within Saudi borders, in compliance with NDMO and NCA requirements.

02 Encryption and Security Controls

We implement industry-leading encryption and access control measures across all systems:

• Encryption in transit using TLS 1.2+ for all data communications.
• Encryption at rest using AES-256 for all stored data, including backups and archives.
• Multi-factor authentication (MFA) enforced for all internal access to systems and client data.
• Least-privilege access controls ensuring team members only access systems and data required for their specific role.

03 Monitoring and Vulnerability Management

We maintain a proactive approach to security through continuous monitoring and vulnerability management:

• Continuous monitoring of all infrastructure, applications, and network traffic for anomalous or unauthorized activity.
• Patch management processes to ensure all systems are updated promptly against known vulnerabilities.
• Regular penetration testing conducted by qualified security professionals to identify and remediate potential weaknesses.

04 Incident Response

In the event of a security incident that affects client data, we are committed to prompt and transparent communication:

• Affected customers will be notified within 72 hours of confirmed incident discovery, in accordance with applicable regulations.
• Immediate containment measures will be deployed to minimize impact and prevent further exposure.
• A full post-incident report will be provided, including root cause analysis, scope of impact, and remediation actions taken.

05 Vendor and Infrastructure Security

We carefully vet all third-party vendors and infrastructure providers to ensure they meet our rigorous security standards:

• All infrastructure partners maintain ISO 27001 certification and SOC 2 Type II compliance.
• Vendor contracts include strict data protection clauses, confidentiality obligations, and regular audit rights.
• We conduct periodic reviews of vendor security practices and compliance status.

06 Shared Responsibility

Security is a shared responsibility between QuantumSpirit AI and our clients:

• Our responsibility: We secure the platform, infrastructure, AI systems, and all data processing environments under our control.
• Client responsibility: Clients are responsible for protecting their own access credentials, managing user permissions within their organization, and reporting any suspected security concerns promptly.

We provide guidance and best-practice recommendations to support clients in maintaining their security posture.