GDPR ready
Data Processing Agreement on request. EU subject rights honored end-to-end.
SOC 2 in progress. Tenant isolation by design. Your data is yours.
Last updated April 11, 2026
Where we stand right now
Verifiable status of every claim on this page.
Status
99.9% uptime target. Live status at status.qone.work.
Data Processing Agreement on request. EU subject rights honored end-to-end.
TLS 1.3 for all client traffic. mTLS for internal service-to-service.
AES-256 on all persistent storage (Postgres, Redis, object storage).
Per-tenant query scoping enforced at the ORM + connection level. RLS in defense-in-depth mode.
Inputs to OpenAI / Anthropic are never used for model training. BYOK available on Business.
Every admin action recorded. 12-month retention on paid plans. Export to your SIEM via API.
Point-in-time recovery up to 7 days. Daily encrypted off-region backups.
Audit in progress. Annual independent attestation by Q3 2026.
TOTP-based 2FA available for all paid plans. SSO required workspaces enforce 2FA at the IdP.
Business plan. Tested with Okta, Google Workspace, Azure AD, and generic SAML 2.0.
Not currently certified. Most controls already in place — audit on roadmap for 2026.
Not in scope. Qone is not designed to store Protected Health Information.
Data residency
Default region today. EU residency available on Business plan from Q3 2026.
AWS Singapore (ap-southeast-1) — production database, app servers, daily encrypted backups.
Available on the Business plan from Q3 2026 — AWS Frankfurt (eu-central-1). All processing stays in-region.
Inference via OpenAI and Anthropic under zero-data-retention contracts. Your tickets are never used for training.
Live uptime, last 30 incidents, and current degradations.
Subprocessors
Every vendor in the data path, what they do, where they store data, and our DPA link.
| Subprocessor | Purpose | Location | DPA |
|---|---|---|---|
| AWS (RDS, EC2) | Hosting (RDS Postgres, EC2) | AWS · ap-southeast-1 | Yes |
| Cloudflare | CDN, edge cache, WAF | Global edge | Yes |
| OpenAI | LLM inference for AI agents | United States | Yes · no training |
| Anthropic | LLM inference for AI agents | United States | Yes · no training |
| Resend | Transactional email delivery | United States | Yes |
| Slack | Slack integration messaging | United States | Per Slack DPA |
| Paddle | Subscription billing & tax | United States | Yes |
| Sentry | Error monitoring | United States | Yes · PII scrubbed |
| PostHog | Product analytics | United States | Yes |
Found a vulnerability?
We work with security researchers in good faith. No legal action against research that follows the rules below.
Send details to [email protected]. PGP key available on request.
First reply within one business day, every time. No exceptions.
Critical issues fixed within 7 days. Full SLA tracked here.
We credit researchers (with consent) on this page.
We respond to security inquiries within one business day.
Contact security team →