Legal
Security
How we protect customer data and support enterprise security reviews.
Overview
Security is a core requirement. QUOTA is designed for modern teams with secure-by-default architecture, least-privilege access, encryption, and operational controls.
This page is a high-level overview. More detailed materials (questionnaires, architecture summaries, supporting evidence) may be available where appropriate, including under NDA.
- Defense in depth
- Least privilege
- Encryption
- Operational controls
Data protection and encryption
We use encryption in transit (TLS) for communications with the Service. We also use encryption at rest where appropriate for stored data and backups.
Access to sensitive systems is restricted and monitored. Production access is limited to authorized personnel and role-based permissions.
- TLS in transit
- Encryption at rest
- Restricted production access
Identity and access control
We implement role-based access controls (RBAC) and apply the principle of least privilege. Administrative actions are restricted and logged.
Where enterprise requirements apply, we support secure authentication patterns (including SSO/SAML in enterprise deployments) and account lifecycle controls (including SCIM where applicable).
- RBAC
- Least privilege
- Admin audit logging
- SSO/SAML (enterprise)
- SCIM (enterprise)
Network security and Cloudflare
We protect public endpoints with modern security controls and continuous monitoring to reduce risk from common web threats.
We use Cloudflare for edge protection such as DDoS mitigation, WAF rules, and traffic filtering for public-facing services.
- DDoS mitigation
- WAF protections
- Traffic filtering
- Monitoring
Application security
We follow secure development practices and reduce risk through code review, dependency management, and security testing where appropriate.
We monitor and address vulnerabilities in third-party libraries and our own components, prioritizing fixes based on severity and exposure.
- Secure SDLC
- Vulnerability management
- Timely patching
Audit logging and monitoring
We maintain operational logging to support incident detection, troubleshooting, and auditability. Access to logs is controlled.
We monitor for suspicious activity and implement alerting to enable rapid triage and response.
- Operational logs
- Security alerts
- Log access controls
Incident response
We maintain an incident response process designed to detect, triage, contain, and remediate security events.
For customers, we provide communications aligned to contractual requirements, including reasonable notification timelines and post-incident review where appropriate.
- Triage and containment
- Customer communications
- Post-incident review
GDPR and privacy
We support GDPR-aligned practices and can provide a Data Processing Addendum (DPA) where required.
Customers control the data submitted to the Service and are responsible for having appropriate rights, notices, and legal bases to process personal data through the Service.
- GDPR-aligned practices
- DPA available
- Customer data control
Assurance (in corso) e trasparenza verso il procurement
We do not claim certifications we have not obtained. Our priority is building a strong, documented, and verifiable security program: policies, controls, operational evidence, and review processes.
During vendor/security review we can share, where appropriate and under NDA, supporting materials (architecture overview, questionnaires, control descriptions, and assurance roadmap).
- Security pack (su richiesta)
- Questionari procurement
- Evidenze e documentazione
- Roadmap assurance
Contact and security review
If your team requires a security questionnaire, architecture overview, or vendor assessment, contact us and we will coordinate the review process.
For security inquiries: hello@quota.training.
- Questionnaire support
- Vendor assessments
- Contact: hello@quota.training
See QUOTA in action
Book a demo with the team
We’ll walk through live simulation, scoring, and gamification for your use case.