QLM Security Questionnaire

Per-organization API keys issued at onboarding. Keys are SHA-256 hashed before storage; plaintext keys are never persisted. Keys are passed via the Authorization: Bearer header over TLS 1.3.

The platform is an API service; authentication is via API keys, not username/password. Dashboard access (when applicable) supports SSO via SAML 2.0 on Enterprise plans, which delegates MFA to the customer's IdP.

API keys are hashed with SHA-256 before storage. No plaintext credentials are stored anywhere in the system. Database credentials and internal secrets are managed via environment variables injected at runtime through the hosting provider's secret management (Render).

Customers can rotate API keys at any time via the dashboard or API. Old keys are immediately invalidated upon rotation. We recommend rotation every 90 days and support automated rotation via API.

Each API key is scoped to a single organization. All requests are authenticated and authorized at the middleware layer before reaching any business logic. Organization-level isolation ensures no cross-tenant data access.

Enterprise plans support scoped API keys with granular permissions: read-only, write, admin. Each key can be restricted to specific endpoints (e.g., optimize-only, sessions-only).

Yes. Enterprise plans support IP allowlisting. API keys can be configured to accept requests only from specified CIDR ranges.

Each organization's data (item banks, sessions, analytics) is logically isolated via organization_id foreign keys enforced at the database query level. Row-level security ensures no cross-tenant query can return another organization's data.

No. Customer item banks, session data, and assessment results are never used to train or fine-tune any machine learning or AI model. Customer data is used solely to deliver the optimization service to that customer.

Session data is retained for 90 days from creation, then automatically purged. Item banks and organization configuration are retained until the customer deletes them or closes their account. Customers can delete all data at any time via the DELETE /v1/organizations/{id}/data API endpoint.

Yes. A DPA conforming to GDPR Article 28 requirements is available on request for all paid plans. Custom DPAs are supported on Enterprise plans.

Customer data is never shared with third parties. The only sub-processors are our infrastructure provider (Render, for hosting) and our database provider (PostgreSQL on Render). No analytics, advertising, or AI training services receive customer data.

Yes. All API traffic is encrypted via TLS 1.3. HTTPS is enforced; plaintext HTTP requests are rejected. HSTS headers are set with a one-year max-age.

Yes. All data at rest is encrypted using AES-256. This applies to the PostgreSQL database, backups, and any temporary storage. Encryption is managed at the infrastructure layer by Render.

Encryption keys for data at rest are managed by the infrastructure provider (Render) using their key management service. Keys are rotated automatically. Application-level secrets are stored as environment variables, never in source code or configuration files.

Customer-managed encryption keys are available on Enterprise plans by request. Contact security@qlm.app for details on CMEK configuration.

QLM is hosted on Render, which maintains SOC 2 Type II certification. Render's SOC 2 report is available to enterprise customers under NDA. QLM's own application-level security controls are documented in this questionnaire.

Yes. A BAA is available on the Enterprise plan. PHI handling procedures are documented, and audit controls and access logging are enabled by default for BAA-covered accounts.

Data processing occurs in the US-Oregon region only; no cross-border transfers to non-adequate jurisdictions. Data deletion API honors right-to-erasure requests within 24 hours. A GDPR-compliant DPA is available. Data minimization is practiced: we collect only the data necessary to deliver the optimization service.

Student education records are protected under organizational isolation. QLM operates as a "school official" under FERPA's school official exception when contracted by educational institutions. No student data is shared with third parties. Access logging and audit trails are maintained for all data access.

Yes. Our incident response plan covers detection, containment, eradication, recovery, and post-incident review. The plan is reviewed and updated quarterly.

Affected customers are notified within 72 hours of confirmed breach discovery, in compliance with GDPR Article 33 and HIPAA breach notification requirements. Enterprise customers with BAAs receive notification within 24 hours.

Security vulnerabilities can be reported to security@qlm.app. We acknowledge reports within 24 hours and provide status updates within 72 hours. Critical vulnerabilities are patched within 24 hours of confirmation. We maintain a responsible disclosure policy.

Yes. Third-party penetration testing is conducted annually. Automated vulnerability scanning (dependency and infrastructure) runs continuously. Results and remediation status are available to enterprise customers under NDA.

QLM is hosted on Render in the US-Oregon (us-west) region. Render provides SOC 2 Type II certified infrastructure running on AWS. No customer data leaves the US-Oregon region.

Growth plan: 99.9% uptime SLA. Enterprise plan: 99.95% uptime SLA with custom SLA terms available. Historical uptime is published on our status page.

Automated database backups run daily with 30-day retention. Point-in-time recovery is available with 1-second granularity for the previous 7 days. Backups are encrypted with AES-256 and stored in a separate availability zone.

Every API call is logged with: timestamp, organization_id, endpoint, HTTP method, response status, latency, IP address, and request ID. Logs are immutable and append-only. Sensitive request/response bodies are not logged.

Audit logs are retained for 1 year on all paid plans. Enterprise customers can configure extended retention up to 7 years for regulatory compliance. Logs are stored in append-only storage with tamper detection.

Yes. Audit logs for your organization are accessible via the GET /v1/organizations/{id}/audit-log API endpoint with filtering by date range, endpoint, and status code. Enterprise customers can also configure log export to their own SIEM via webhook.