Currently in private beta.
Trust

Built for teams that take security seriously

SOC 2 in progress. Tenant isolation by design. Your data is yours.

Last updated April 11, 2026

Where we stand right now

Verifiable status of every claim on this page.

7
Implemented
1
In progress
2
Planned
2
Not in scope

Status

System status

99.9% uptime target. Live status at status.qone.work.

Done

GDPR ready

Data Processing Agreement on request. EU subject rights honored end-to-end.

Done

Encryption in transit

TLS 1.3 for all client traffic. mTLS for internal service-to-service.

Done

Encryption at rest

AES-256 on all persistent storage (Postgres, Redis, object storage).

Done

Tenant isolation

Per-tenant query scoping enforced at the ORM + connection level. RLS in defense-in-depth mode.

Done

AI provider privacy

Inputs to OpenAI / Anthropic are never used for model training. BYOK available on Business.

Done

Audit logs

Every admin action recorded. 12-month retention on paid plans. Export to your SIEM via API.

Done

Backups & recovery

Point-in-time recovery up to 7 days. Daily encrypted off-region backups.

In progress

SOC 2 Type II

Audit in progress. Annual independent attestation by Q3 2026.

Planned Q3

MFA / TOTP

TOTP-based 2FA available for all paid plans. SSO required workspaces enforce 2FA at the IdP.

Planned Q4

SSO (SAML / OIDC)

Business plan. Tested with Okta, Google Workspace, Azure AD, and generic SAML 2.0.

Not certified

ISO 27001

Not currently certified. Most controls already in place — audit on roadmap for 2026.

Not in scope

HIPAA

Not in scope. Qone is not designed to store Protected Health Information.

Data residency

Where your data lives

Default region today. EU residency available on Business plan from Q3 2026.

  • Primary region

    AWS Singapore (ap-southeast-1) — production database, app servers, daily encrypted backups.

  • EU residency option

    Available on the Business plan from Q3 2026 — AWS Frankfurt (eu-central-1). All processing stays in-region.

  • AI processing

    Inference via OpenAI and Anthropic under zero-data-retention contracts. Your tickets are never used for training.

All systems operational

status.qone.work

Live uptime, last 30 incidents, and current degradations.

30 days ago99.97% uptimeToday
View status page

Subprocessors

Who we work with

Every vendor in the data path, what they do, where they store data, and our DPA link.

SubprocessorPurposeLocationDPA
AWS (RDS, EC2)Hosting (RDS Postgres, EC2)AWS · ap-southeast-1Yes
CloudflareCDN, edge cache, WAFGlobal edgeYes
OpenAILLM inference for AI agentsUnited StatesYes · no training
AnthropicLLM inference for AI agentsUnited StatesYes · no training
ResendTransactional email deliveryUnited StatesYes
SlackSlack integration messagingUnited StatesPer Slack DPA
PaddleSubscription billing & taxUnited StatesYes
SentryError monitoringUnited StatesYes · PII scrubbed
PostHogProduct analyticsUnited StatesYes

Found a vulnerability?

Responsible disclosure

We work with security researchers in good faith. No legal action against research that follows the rules below.

2

We respond within 24h

First reply within one business day, every time. No exceptions.

3

Patched within 90 days

Critical issues fixed within 7 days. Full SLA tracked here.

4

Hall of fame

We credit researchers (with consent) on this page.

Have a security question?

We respond to security inquiries within one business day.

Contact security team