Request Demo

Security at QRS

Last updated: April 19, 2026

Contents

Our Approach

Quantum Risk Systems, Inc. (“QRS”) builds catastrophe-risk analytics for insurance and reinsurance customers. The data we process is often used to make real underwriting and capital decisions. We treat customer data with that seriousness. Our security program is built on three ideas: (1) keep the attack surface small, (2) prove controls with evidence rather than assertions, and (3) tell customers the truth when something goes wrong.

Compliance

  • SOC 2 Type II — in progress with Vanta. Report available under NDA once issued.
  • Cyber / Tech E&O insurance — carried with Vouch Insurance Services; certificate of insurance available on request.
  • GDPR & CCPA — our Data Protection and Privacy Policy and Privacy Notice describe how we handle personal data. A Data Processing Addendum is available for customers.

Infrastructure

  • Application tier hosted on Fly.io (US regions). Production workloads run in a dedicated Fly organization with no shared administrative access.
  • Object storage on Amazon Web Services S3 (US regions) for customer data exports, backups, and static assets.
  • All data in transit is encrypted with TLS 1.2 or higher; all data at rest is encrypted with AES-256 on Fly.io persistent volumes and AWS S3 with keys managed by the respective platform.
  • Network isolation is enforced through Fly.io private networking and AWS S3 bucket policies restricting access to approved principals. Production is not reachable from the public internet except through documented, monitored ingress.
  • AWS CloudTrail provides tamper-evident audit logging for S3 access; Fly.io platform logs are retained and monitored for the application tier.

Identity and Access

  • Workforce identity is federated through Google Workspace with SSO and mandatory multi-factor authentication on every account.
  • Access to production follows least-privilege principles and is granted via time-bound, logged elevation.
  • Quarterly access reviews are documented in our Access Request Ticket and History log.
  • All production authentication events are logged and retained for at least one year.

Application Security

  • All code is hosted in GitHub with branch protection, signed commits, and mandatory peer review on production branches (including self-review with cooling-off for the single-founder stage, per our Secure Software Development Policy).
  • Static analysis, dependency scanning, and secret scanning run on every pull request via GitHub Advanced Security and Dependabot.
  • Production deploys run through GitHub Actions to Fly.io with short-lived credentials; deploys are logged and alertable.
  • Vulnerabilities are triaged and remediated on the SLAs defined in our Secure Software Development Policy (critical: 48 hours; high: 7 days).

Data Protection

  • Customer data is logically segregated by customer and by environment.
  • Backups are encrypted and retained per our Business Continuity and Disaster Recovery Policy, and tested at least annually.
  • Data deletion follows our Data Retention and Disposal Policy. Customers can request export or deletion of their data at any time.

People

  • Workforce members complete security awareness training on hire and annually thereafter, tracked through Vanta.
  • Background checks are performed for all personnel consistent with local law.
  • All personnel sign a confidentiality and IP-assignment agreement before accessing customer systems.
  • Advisors are independent contractors and do not have production access unless specifically authorized.

Incident Response

  • Our Incident Response Policy defines roles, severity classifications, communication cadence, and notification obligations.
  • We run a tabletop exercise at least annually and document the findings.
  • When an incident materially impacts customer data, we will notify affected customers in accordance with contractual terms and applicable law.
  • Service availability and incidents are posted to status.qrsrisk.com.

Vulnerability Disclosure

We welcome security research that helps keep our customers safe. Our Vulnerability Disclosure Program and safe-harbor terms are published at qrsrisk.com/security/vdp ; reports go to security@qrsrisk.com . A PGP key is available on request.

Subprocessors

We use a small number of subprocessors to deliver the service. The current list, the data they process, and the region in which they operate are published at qrsrisk.com/subprocessors and updated with advance notice of additions. Material categories today:

  • Fly.io — application hosting (US regions).
  • Amazon Web Services — object storage (US regions).
  • Google Workspace — email, documents, and identity provider.
  • GitHub — source control and CI/CD.
  • Vanta — continuous compliance monitoring.
  • Gusto — payroll and HRIS for QRS personnel (does not process customer data).
  • Carta — capitalization and corporate records (does not process customer data).

Policies

Our internal policies are available to customers and prospects under NDA. The set includes:

  • Information Security Policy
  • Access Control Policy
  • Encryption Policy
  • Data Classification Policy
  • Privacy Policy
  • Data Retention and Disposal Policy
  • Incident Response Policy
  • Business Continuity and Disaster Recovery Policy
  • Secure Development Policy
  • Vendor Management Policy
  • Risk Assessment Policy
  • Change Management Policy

Contact