Security
Security & compliance, stated honestly
How we protect your data and your learners — the controls that are live today, and a straight account of what's still on the roadmap.
Data protection
Your data, protected end to end
Encryption, least-privilege access and regional processing with lawful-transfer safeguards.
Encryption everywhere
- TLS 1.2+ for all data in transit
- AES-256 encryption for data at rest
- Secrets held in a managed vault, never in source
Least-privilege access
- Role-scoped access to production systems
- Access granted on need, reviewed regularly
- Administrative actions are logged and attributable
Regional processing
- EU, US and India processing regions
- Standard Contractual Clauses for cross-border transfers
- Data-residency options for regulated engagements
Application security
Hardened at every layer
Defensive defaults in the browser, in the API and in the database — plus a payment path that keeps card data off our systems.
Hardened by default
- Content-Security-Policy and HSTS enforced
- HTTP-only, signed session cookies
- Rate limiting on authentication and API surfaces
Safe data handling
- Parameterised queries — no string-built SQL
- Server-side input validation and output encoding
- Dependency and vulnerability monitoring
No card data stored
- Payments processed by Razorpay
- Card details never touch our servers
- PCI-DSS scope handled by the payment provider
Access & identity
Enterprise-grade access control
Single sign-on, role-based permissions and audit logging so the right people have exactly the access they need.
Enterprise identity
- SSO / SAML available on Enterprise & Government engagements
- SCIM provisioning for automated joiner/leaver flows
- Session and device controls for admins
Role-based access
- RBAC across learner, manager and admin roles
- Granular permissions for analytics and exports
- Separation of duties for sensitive actions
Audit logging
- Security-relevant events are recorded
- Admin and access changes are traceable
- Logs available to enterprise customers on request
Compliance posture
Where we actually stand
We publish an honest status for each control. SOC 2 Type II is in progress — a roadmap item, not a claim of attestation we don't hold.
| Control | Status |
|---|---|
| Encryption in transit & at rest | Live |
| Least-privilege production access | Live |
| CSP / HSTS / signed sessions | Live |
| Rate limiting & input validation | Live |
| GDPR-aligned processing | Live |
| Data Processing Agreement (DPA) | On request |
| SSO / SAML & SCIM | On request |
| Subprocessor list | On request |
| SOC 2 Type II attestation | In progress |
| Penetration-test summary | On request |
“In progress” means an active roadmap item, not an achieved certification. “On request” means the artefact is available to qualified prospects and customers under NDA. Our subprocessor list and DPA are shared as part of the trust pack.
Responsible disclosure
Found something? Tell us
We welcome good-faith security research. Report a vulnerability and we'll acknowledge it and work with you on a fix.
Report a vulnerability
Email security@qubiconai.com with details and reproduction steps. Please give us reasonable time to remediate before any public disclosure.
Start today
Request our security pack
Security overview, DPA, subprocessor list and our compliance roadmap — shared with your team under NDA.