Security

All traffic between your browser and Quant Auras is encrypted with TLS 1.2 or higher. We disable legacy ciphers and obsolete protocols (SSL 3, TLS 1.0/1.1) at the CloudFront edge.

Data at rest is encrypted with AES-256:

• RDS PostgreSQL — KMS-managed encryption.
• S3 buckets — SSE-KMS for user uploads and backups.
• EBS volumes (EC2 worker instances) — encrypted by default.
• Redis — TLS-only on the wire; no sensitive PII persisted.

We protect accounts with industry-standard practices:

• Argon2id password hashing (memory-hard, salted per user).
• Short-lived JWT access tokens with explicit revocation lists per user.
• Optional Google Sign-In with verified JWKS; the client secret never leaves the backend.
• OTP-based password reset (single-use, time-limited).
• Sign-up and password-reset are rate-limited per IP to prevent automated abuse.

The platform runs on AWS in audited regions (us-east-1, eu-north-1):

• Compute on EC2 behind security groups that allow only required ports.
• Database isolated in a private subnet with no public address.
• Secrets stored in AWS Secrets Manager — never in the codebase or env files at rest.
• Daily automated backups with point-in-time recovery for PostgreSQL.
• Multi-AZ deployment for high availability of the database tier.

We continuously monitor security signals:

• CloudWatch alerts on suspicious sign-in patterns and elevated error rates.
• Sentry for application-level errors with PII scrubbing enabled.
• Audit logging on all admin actions and authentication events.
• On-call rotation with a documented incident-response playbook.

Access to production systems is strictly limited:

• Engineers authenticate via SSO with mandatory two-factor.
• Just-in-time temporary credentials — no long-lived production keys.
• Audited break-glass procedure for emergency access.
• Customer data is queried only with a documented support ticket; queries are logged.

If you discover a security issue, please report it responsibly:

• Email security@quantauras.com with a description and reproduction steps.
• We acknowledge within 24 hours and provide a fix or status update within 7 days for confirmed issues.
• We won't pursue legal action against good-faith researchers who follow this policy.
• Public disclosure: please give us 90 days from acknowledgement before publishing.

We align with widely accepted security frameworks and applicable laws:

• Saudi Personal Data Protection Law (PDPL).
• EU General Data Protection Regulation (GDPR).
• OWASP Top 10 — addressed in our application security reviews.
• PCI-DSS — payment card data is processed entirely by Stripe and never touches our servers.

Even the best security depends on user hygiene:

• Use a strong, unique password for your Quant Auras account.
• Sign out from shared devices.
• Verify the URL is quant-auras.com before entering credentials.
• Report suspicious emails claiming to be from Quant Auras to security@quantauras.com.