Trust / Security

Security posture without borrowed badges.

The security page names what is implemented, what is in beta, and which certifications QOrium does not claim yet.

Evidence posture

Transport: TLS, HSTS, and security headers
Secrets: Rotation calendar documented
Certifications: No SOC 2 or ISO badge claimed

Evidence policy

Shipped rows need evidence. Beta rows need owner and date. Roadmap rows do not masquerade as live product.

Request review pack

Evidence ledger

Control ledger

Every row has a state, evidence source, owner, and verification date so buyers can see the real posture.

Control	Status	Evidence	Owner	Verified
Transport and browser hardening	Shipped	Next.js security headers and health routes are present in the marketing app.	ARJUN	2026-06-01
Credential rotation discipline	Shipped	infra/B6-Secret-Rotation-Calendar.md defines rotation cadence and ownership.	CTO Office	2026-06-01
SSO SAML/OIDC	Beta	infra/SSO-SAML-Enterprise-Spec-v0.md exists; public badge remains off.	BHIMA	2026-06-01
Customer audit log	Beta	infra/Audit-Log-API-Spec-v0.md exists; customer-facing route remains gated.	BHIMA	2026-06-01
SOC 2 Type II	Not claimed	No certificate URL is present; QOrium does not render a SOC 2 badge.	CEO + Gatekeeper	2026-06-01
ISO 27001	Not claimed	Auditor selection is separate from this product surface; no certification claim is rendered.	CEO + Gatekeeper	2026-06-01

Architecture

QOrium separates the public marketing surface from authenticated assessment, admin, and content services.

Marketing is a public Next.js app decoupled from backend auth packages.
ReadyBank and service modules retain their own API and data boundaries.
Public pages avoid secret-backed runtime claims unless the data source is wired.

Sub-processors

Sub-processors are named by purpose and region, with buyer review before production contracts require more specificity.

AI generation providers are disclosed as AI processing sub-processors.
Email, billing, hosting, and object-storage providers are named in security copy.
New personal-data sub-processors require buyer-facing disclosure before claim expansion.

What this public surface does not claim

The page deliberately avoids proof that QOrium has not earned.

No SOC 2 badge appears without a certificate URL.
No ISO 27001 badge appears without a certificate URL.
No uptime SLA is described as contracted until a commercial tier signs it.

Sources

[1] MARKETING_SITE_360_v1.md - Phase 3 trust and method shell requirements.
[2] 09-QOrium-Constitution-v2.0.md - SO-3 quality gate discipline and SO-24 no-fiction public claims.
[3] infra/SSO-SAML-Enterprise-Spec-v0.md - Enterprise identity capability is treated as beta until deployed and verified.
[4] infra/Audit-Log-API-Spec-v0.md - Customer audit-log capability is treated as beta until deployed and verified.

Control

Status

Evidence

Owner

Verified

Transport and browser hardening

Shipped

Next.js security headers and health routes are present in the marketing app.

ARJUN

2026-06-01

Credential rotation discipline

Shipped

infra/B6-Secret-Rotation-Calendar.md defines rotation cadence and ownership.

CTO Office

2026-06-01

SSO SAML/OIDC

Beta

infra/SSO-SAML-Enterprise-Spec-v0.md exists; public badge remains off.

BHIMA

2026-06-01

Customer audit log

Beta

infra/Audit-Log-API-Spec-v0.md exists; customer-facing route remains gated.

BHIMA

2026-06-01

SOC 2 Type II

Not claimed

No certificate URL is present; QOrium does not render a SOC 2 badge.

CEO + Gatekeeper

2026-06-01

ISO 27001

Not claimed

Auditor selection is separate from this product surface; no certification claim is rendered.

CEO + Gatekeeper

2026-06-01

Architecture

QOrium separates the public marketing surface from authenticated assessment, admin, and content services.

Marketing is a public Next.js app decoupled from backend auth packages.

ReadyBank and service modules retain their own API and data boundaries.

Public pages avoid secret-backed runtime claims unless the data source is wired.

Sub-processors

Sub-processors are named by purpose and region, with buyer review before production contracts require more specificity.

AI generation providers are disclosed as AI processing sub-processors.

Email, billing, hosting, and object-storage providers are named in security copy.

New personal-data sub-processors require buyer-facing disclosure before claim expansion.