Security engineered into the operating system.

Quantos is built around the assumption that operational intelligence must remain attributable, reviewable, and contained within the authorised environment. Controls are selected to preserve confidentiality, integrity, availability, traceability, and institutional accountability.

Quantos is positioned above existing systems as a closed-loop decision-control layer. Its security architecture is designed to preserve separation between identity, tenant context, data ingestion, execution, evidence, and administrative control.

Trust boundary

Each customer deployment is governed by a defined environment boundary, approved integrations, authorised identities, and explicit data flows.

Tenant context

Platform operations are bound to an authorised tenant or system identity. Tenant context is treated as a required execution condition rather than an optional application parameter.

Execution control

Jobs, workers, scheduled tasks, and internal control functions are designed to execute through explicit identities, approved queues, and auditable orchestration paths.

Evidence plane

Security-relevant and operationally significant events are recorded to support traceability across signal, decision, action, outcome, scoring, learning, and correction.

Deployment profiles

Depending on the engagement, Quantos may be deployed in managed cloud infrastructure, a customer-controlled private environment, or an isolated air-gapped environment.

Human and machine access is governed through identity, role, purpose, and environment. Administrative capability is separated from ordinary use, and access changes are expected to follow controlled provisioning and removal processes.

• Strong authentication. Administrative access uses strong credential controls and, where supported by the deployment environment, multi-factor authentication.
• Role-based authority. Access is assigned according to approved responsibilities and restricted to the functions and data required for that role.
• Machine identity. Internal services, scheduled jobs, and system functions are expected to operate through explicit service or system identities rather than anonymous execution.
• Lifecycle control. Access provisioning, review, modification, and removal are handled through controlled processes intended to reduce stale, excessive, or orphaned privileges.
• Privileged access accountability. Elevated operations are restricted and logged according to the capabilities of the contracted deployment.

Quantos applies purpose limitation, data minimisation, controlled ingestion, tenant-aware execution, transport security, and environment-appropriate storage protections.

Security is maintained through controlled change, dependency management, vulnerability handling, logging, review, and operational discipline across the software lifecycle.

• Controlled change. Production-impacting changes are expected to pass review, testing, and authorised deployment processes.
• Dependency risk. Software dependencies and platform components are monitored and updated according to operational risk and compatibility requirements.
• Vulnerability management. Identified vulnerabilities are assessed, prioritised, and remediated according to severity, exploitability, exposure, and system criticality.
• Secrets handling. Credentials, tokens, and environment secrets are kept outside public source and are managed through deployment-appropriate secret controls.
• Logging and monitoring. Security-relevant events and anomalous conditions are logged and reviewed according to the operating context and available telemetry.
• Separation of duties. Administrative, engineering, deployment, and customer responsibilities are separated where the operating model requires it.

Availability objectives and recovery controls depend on the deployment profile and contracted service level. The platform is designed to support operational continuity through controlled execution, observability, recoverable state, and environment-specific backup practices.

Security incidents are handled through a defined process intended to establish scope, contain exposure, preserve evidence, restore controlled operation, and reduce recurrence.

• Triage. Reports and alerts are assessed for authenticity, severity, affected environment, and immediate containment needs.
• Containment. Access, integrations, workloads, or affected components may be restricted to prevent expansion of the incident.
• Investigation. Available logs, system records, deployment evidence, and customer-provided information are reviewed to establish cause and impact.
• Recovery. Services are restored through controlled remediation and validation appropriate to the incident and deployment.
• Notification. Customer notification obligations, timelines, and contact paths are governed by the Customer Agreement and applicable law.
• Post-incident correction. Confirmed incidents are reviewed to identify required control, engineering, process, or operating changes.

Security outcomes depend on both Quantos controls and the customer environment. The exact responsibility boundary is documented for each engagement.

• Customer source systems. Customers remain responsible for the security, integrity, and lawful operation of systems that supply data to Quantos.
• Identity governance. Customers are responsible for approving users, roles, and access within their organisation and for timely removal of access.
• Endpoints and networks. Customer-managed endpoints, networks, identity providers, and infrastructure remain under customer control unless explicitly included in scope.
• Data authority. Customers must have lawful authority to provide data and must obtain any required notices, permissions, or consents.
• Operational response. Where human action is required, customers remain responsible for timely review, approval, and execution within their operating environment.

Security researchers and users should report suspected vulnerabilities privately and responsibly. Do not perform destructive testing, denial-of-service, social engineering, data exfiltration, persistence, or access beyond what is required to demonstrate the issue.

Report to

asheesh@getquantos.com

Include

Affected URL or component, reproduction steps, observed behaviour, potential impact, and supporting evidence.

Avoid

Public disclosure before remediation coordination, destructive activity, service disruption, privacy invasion, or accessing unrelated data.

Response

Valid reports are reviewed and acknowledged according to severity, available evidence, and operational context. Remediation timing depends on confirmed risk and affected deployment.

This page is a public description of security principles and control domains. It is not a certification, warranty, service-level commitment, or substitute for a signed agreement.

• Website scope. The public Quantos website and briefing enquiry flow are covered by website-specific controls and the published Privacy Policy.
• Platform scope. Platform commitments apply only to customer environments provisioned under a signed Customer Agreement and applicable addenda.
• Third parties. Customer-managed systems and third-party services outside Company control are not included unless expressly identified in scope.
• No absolute guarantee. No system can eliminate all security risk. Controls are applied to reduce exposure, detect misuse, preserve evidence, and support recovery.
• Intellectual property. Quantos is used in commerce by GrowthX Analytics Private Limited. The system and related inventions are protected by applicable intellectual-property rights and patent applications.
• Changes. This statement may be updated to reflect changes in architecture, controls, operating requirements, or legal obligations.