Skip to content
QUBICON.AIAim Beyond Horizon

Security

Security & compliance, stated honestly

How we protect your data and your learners — the controls that are live today, and a straight account of what's still on the roadmap.

Data protection

Your data, protected end to end

Encryption, least-privilege access and regional processing with lawful-transfer safeguards.

Encryption everywhere

  • TLS 1.2+ for all data in transit
  • AES-256 encryption for data at rest
  • Secrets held in a managed vault, never in source

Least-privilege access

  • Role-scoped access to production systems
  • Access granted on need, reviewed regularly
  • Administrative actions are logged and attributable

Regional processing

  • EU, US and India processing regions
  • Standard Contractual Clauses for cross-border transfers
  • Data-residency options for regulated engagements

Application security

Hardened at every layer

Defensive defaults in the browser, in the API and in the database — plus a payment path that keeps card data off our systems.

Hardened by default

  • Content-Security-Policy and HSTS enforced
  • HTTP-only, signed session cookies
  • Rate limiting on authentication and API surfaces

Safe data handling

  • Parameterised queries — no string-built SQL
  • Server-side input validation and output encoding
  • Dependency and vulnerability monitoring

No card data stored

  • Payments processed by Razorpay
  • Card details never touch our servers
  • PCI-DSS scope handled by the payment provider

Access & identity

Enterprise-grade access control

Single sign-on, role-based permissions and audit logging so the right people have exactly the access they need.

Enterprise identity

  • SSO / SAML available on Enterprise & Government engagements
  • SCIM provisioning for automated joiner/leaver flows
  • Session and device controls for admins

Role-based access

  • RBAC across learner, manager and admin roles
  • Granular permissions for analytics and exports
  • Separation of duties for sensitive actions

Audit logging

  • Security-relevant events are recorded
  • Admin and access changes are traceable
  • Logs available to enterprise customers on request

Compliance posture

Where we actually stand

We publish an honest status for each control. SOC 2 Type II is in progress — a roadmap item, not a claim of attestation we don't hold.

ControlStatus
Encryption in transit & at restLive
Least-privilege production accessLive
CSP / HSTS / signed sessionsLive
Rate limiting & input validationLive
GDPR-aligned processingLive
Data Processing Agreement (DPA)On request
SSO / SAML & SCIMOn request
Subprocessor listOn request
SOC 2 Type II attestationIn progress
Penetration-test summaryOn request

“In progress” means an active roadmap item, not an achieved certification. “On request” means the artefact is available to qualified prospects and customers under NDA. Our subprocessor list and DPA are shared as part of the trust pack.

Responsible disclosure

Found something? Tell us

We welcome good-faith security research. Report a vulnerability and we'll acknowledge it and work with you on a fix.

Report a vulnerability

Email security@qubiconai.com with details and reproduction steps. Please give us reasonable time to remediate before any public disclosure.

Contact security

Start today

Request our security pack

Security overview, DPA, subprocessor list and our compliance roadmap — shared with your team under NDA.