SiteQuant

Trust centre

Built for QSes who hold millions in commercial risk.

Plain English. Specifics in parentheses. We do not pretend to have what we do not, and we do not hide what we do.

Encryption at rest

All data on disk is encrypted with KMS-managed keys (AES-256). Applies to RDS Postgres volumes, S3 file uploads, and CloudWatch log groups. Key rotation is enabled.

Encryption in transit

TLS 1.2+ enforced on every connection. HSTS preloaded. Modern cipher suites only. Internal service-to-service traffic stays inside our VPC.

Identity and access

Sign in with Google OAuth or email magic link. Optional password if you prefer. 2FA on the roadmap. Audit log captures every change to your projects.

Data residency

Hosted in AWS eu-west-2 (London). No transfer outside the UK or EU. Data is not replicated to US-hosted Anthropic regions; AI calls go through a UK-routed proxy.

Backups and recovery

RDS automated backups daily, 30-day retention, point-in-time restore. Cross-AZ snapshot replication. Restore drill quarterly.

Vendor management

Anthropic for AI (zero data retention contractually configured). Vercel for hosting. AWS for infra. Stripe for billing. No third-party trackers, no analytics pixels in the app.

Who has access

Today, named employee access is restricted to Najiib Mahmoud (founder, AWS Community Builder). As we hire, we will publish a named-individual list with role and rationale. Production access requires SSO + MFA. We never share customer credentials or session tokens with third parties.

What we never do

  • We do not train models on your project data.
  • We do not sell, share, or rent your data.
  • We do not run third-party analytics or tracking pixels in the authenticated app.
  • We do not retain dictation audio. Transcripts are processed and discarded.
  • We do not let support agents view your project content without an in-product audit trail.

Reporting a security issue

If you find a vulnerability, please email us at security@sitequant.co.uk. We will acknowledge within one working day. We do not have a paid bug bounty yet. We will publicly credit responsible disclosures unless you ask us not to.

Data export and deletion

Your data is yours. Full export available at any time from Settings → Data. On cancellation we keep your data read-only for 90 days, then purge it. Deletion-requested-and-completed certificates available on request.

Compliance, honestly

We are early. We are not going to print badges we have not earned. Here is what we are working on, with status.

SOC 2 Type II
In progress with our auditor
ISO 27001
On the roadmap
UK GDPR
Compliant
Cyber Essentials
Targeting Q3 2026

Need a vendor questionnaire?

Email us with your security review form and we will turn it around in two business days.

Email security@sitequant.co.uk