Security

1. Scope

• Website scope: the public Quantos website (quantos.systems) and the briefing enquiry flow.
• Platform scope: Quantos platform environments provisioned for customers under a signed Customer Agreement.
• Out of scope: customer-managed systems, networks, endpoints, and any third-party systems not under Company control.

2. Security Model

Quantos is designed as a deterministic, auditable system. Security controls are implemented to protect confidentiality, integrity, and availability of data, and to preserve auditability of every operation in the closed loop. Control selection and enforcement are risk-driven. Least-privilege and end-to-end traceability are treated as baseline requirements, not optional enhancements.

3. Data Minimisation and Purpose Limitation

• Website: we collect only the information required to respond to enquiries, operate the site, and protect the service against abuse. See the Privacy Policy for details.
• Platform (under contract): data processing is purpose-bound to delivering the contracted service. Data is not used for any other purpose without the customer’s explicit written consent.

4. Access Control

• Administrative access is restricted to authorised personnel and managed under least-privilege principles.
• Access is provisioned and removed through controlled processes designed to reduce orphaned or excessive privileges.
• Where supported, elevated access is time-bound and logged to preserve accountability.
• Authentication uses strong credential controls; multi-factor authentication is enforced for administrative access.

5. Encryption and Transport Security

• Transport-layer encryption (HTTPS/TLS) is applied to all data transmitted between visitor browsers and our systems.
• Where the platform stores customer data under contract, encryption-at-rest controls are applied based on architecture, storage type, and customer requirements specified in the Customer Agreement.

This statement intentionally does not name specific algorithms or configurations on a public page. Implementation details are provided under controlled disclosure during a security review with prospective or active customers.

6. Tenant Isolation

• Customer data is isolated at the database schema level. Each tenant is provisioned in its own database schema, not as rows in a shared multi-tenant table.
• This isolation is structural: there is no tenant_id column that an application bug could bypass. A missing filter cannot leak data because there is nothing to leak into.
• A contamination gate at the ingestion layer rejects any write that does not carry a valid tenant-binding signature.

7. Logging, Monitoring, and Auditability

• Security-relevant events are logged to support investigation and operational continuity.
• We monitor for indicators of misuse, abuse, and anomalous activity consistent with operational needs and applicable law.
• Every cycle of the closed-loop platform produces an immutable audit record of mutations, cognition events, weight adjustments, and self-corrections — queryable by time, tenant, function, or signal.
• Retention of security logs is time-limited and aligned to security and operational requirements.

8. Vulnerability Management

• We maintain processes to identify, prioritise, and remediate vulnerabilities affecting the website and platform.
• Security updates are applied as part of routine maintenance or in response to emergent risk.
• We use internal and third-party testing methods as appropriate to the risk profile and engagement context.

9. Incident Response

• We maintain an incident response process designed to triage, contain, investigate, and remediate security incidents.
• Where a Customer Agreement applies, customer notification obligations are defined in that agreement and applicable addenda.
• Post-incident reviews are performed to improve controls and reduce recurrence risk.

10. Service Providers and Sub-Processing

We use a limited set of service providers to operate the website and platform, including infrastructure providers, email delivery, scheduling tools, and the visitor geolocation services described in the Privacy Policy. Providers are engaged to perform defined services and are expected to apply protections appropriate to their role. A list of platform sub-processors is available to customers under the Customer Agreement.

11. Customer Responsibilities

For platform engagements under contract, customers remain responsible for:

• Security of their source systems, endpoints, and credential hygiene.
• Lawful authority to provide data for processing.
• User access management within their organisation.
• Timely review and response to operational actions and outputs where human execution is required.
• Capture of any consents required from their users when forwarding data to Quantos.

12. Responsible Disclosure

If you believe you have identified a security vulnerability in the Quantos website or platform, disclose it privately and responsibly. Do not publicly disclose, exploit, or attempt to exfiltrate data.

• Report to: asheesh@getquantos.com
• Include: the affected URL or component, steps to reproduce, potential impact, and any supporting evidence.
• Do not: perform destructive testing, social engineering, denial-of-service, or access beyond what is necessary to demonstrate the issue.

We acknowledge valid disclosures within 5 business days and aim to remediate confirmed vulnerabilities within timeframes appropriate to severity.

13. No Guarantee

No public-facing system can guarantee absolute security. We apply controls designed to reduce risk, detect misuse, and support investigation and recovery. Nothing in this Security Statement creates a warranty or contractual obligation unless incorporated into a signed Customer Agreement.

14. Intellectual Property Notice

Quantos is a trademark used in commerce by GrowthX Analytics Private Limited. The Quantos system and related inventions are protected by patent rights and patent applications associated with Asheesh Chaturvedi, including Indian Patent Application No. 202521120016. All rights not expressly granted are reserved.

15. Changes to This Statement

We may update this Security Statement to reflect changes in controls, architecture, or operational requirements. The “Last updated” date at the top of this page reflects the most recent revision.