Our Security Pillars
Encryption Everywhere
TLS 1.2+ in transit, AES-256 at rest. Secrets and keys managed via cloud KMS with rotation.
Zero-Trust Access
Role-based access control, MFA enforced, principle of least privilege, and session monitoring.
Hardened Infrastructure
Deployed on AWS, Azure, and GCP with VPC isolation, WAF, and continuous vulnerability scanning.
Secure SDLC
Threat modeling, SAST/DAST, dependency scanning, and peer code review on every change.
Responsible AI
Guardrails against prompt injection, data leakage, and model abuse. Output review and bias testing.
Continuous Auditing
Centralized logging, immutable audit trails, and regular third-party penetration testing.
Data Protection
Encryption
All client data is encrypted in transit (TLS 1.2 or higher) and at rest (AES-256). Database-level encryption, field-level encryption for sensitive attributes, and encrypted backups are standard.
Data Residency & Segregation
Client data is logically segregated and, where required, stored in a specific geographic region to meet data-residency obligations (e.g., India, EU, US). We support dedicated single-tenant deployments for regulated workloads.
Backups & Disaster Recovery
Automated encrypted backups with versioning and defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). DR procedures are tested annually.
Access Control
- Multi-factor authentication (MFA) enforced for all QARC TECH personnel accessing production or client systems.
- Role-based access control (RBAC) with least-privilege defaults.
- Just-in-time access for sensitive operations, with approval workflows and time-bound tokens.
- Access reviews conducted quarterly; offboarding revokes all access within one business day.
Secure Development Lifecycle
- Threat modeling for new features and architecture changes.
- Static (SAST) and dynamic (DAST) application security testing in CI/CD.
- Software composition analysis (SCA) for third-party dependencies.
- Mandatory peer code review and signed commits on protected branches.
- Secrets scanning to prevent credential leaks.
AI & Model Security
Our AI engagements incorporate defenses against emerging threats:
- Prompt injection defense — input sanitization, allowlists, and adversarial testing.
- Data leakage prevention — isolation between tenants, no training on client data without written consent.
- Output moderation — content filters, hallucination detection, and human-in-the-loop for sensitive workflows.
- Model provenance — only deploy vetted, documented, and versioned models; maintain model cards and risk assessments.
- Bias & fairness testing — baseline evaluations across demographic slices before production release.
Incident Response
We maintain a documented Incident Response Plan with defined severity levels, escalation paths, and a 24-hour acknowledgement SLA for critical incidents. Clients are notified of any confirmed security incident impacting their data within the timeframes required by applicable law.
Compliance & Frameworks
QARC TECH aligns its security program with:
- ISO/IEC 27001 — Information Security Management
- SOC 2 Type II control objectives
- NIST Cybersecurity Framework (CSF)
- OWASP ASVS & Top 10
- GDPR, DPDP Act 2023 (India), CCPA (where applicable)
Formal certification status and audit reports are available to enterprise clients under NDA.
Vulnerability Disclosure
We welcome responsible reports of security issues. If you believe you've found a vulnerability, please email security@qarctech.com with:
- A detailed description of the issue and steps to reproduce.
- The affected URL, endpoint, or component.
- Your contact information (optional but helpful).
We commit to acknowledging valid reports within 3 business days and will work with researchers in good faith. Please do not publicly disclose issues before we've had a reasonable chance to investigate and remediate.
Contact Security
Security Team — QARC TECH
Email: security@qarctech.com
PGP key available on request.