HOME / SECURITY

Security

Last updated April 20, 2026

Security isn't something we consult on — it's how we operate. This page describes the security practices we follow for our own infrastructure, your data, and our engagements.

Infrastructure Security

Control	Implementation
Hosting	Cloudflare Pages with DDoS protection, WAF, and bot management
DNS	Cloudflare DNS with DNSSEC, proxy-enabled
TLS	TLS 1.3 minimum, HSTS enabled, certificate pinning via Cloudflare
Zero Trust	Cloudflare Zero Trust (Access + Gateway) for all internal tools
Identity	Authentik SSO with MFA enforced for all team members
Secrets	Infisical for secrets management, no secrets in code or environment files
Tunnels	Cloudflare Tunnels for all internal service exposure — no open inbound ports

Data Protection

In transit

All data transmitted between your browser and our services is encrypted with TLS 1.3. Internal service-to-service communication uses mutual TLS or encrypted tunnels.

At rest

We minimize data storage. What we do store — engagement records, contact submissions — is encrypted at rest using AES-256 via our infrastructure providers.

Access control

We follow least-privilege access. Every internal tool requires SSO authentication with MFA. Access is role-based and reviewed quarterly. No standing admin access — elevated permissions are time-bound and audited.

Engagement Security

When we access your infrastructure during an engagement:

Scoped access only — we request the minimum permissions needed for the specific engagement phase
No persistent credentials — we use temporary, scoped access tokens where possible; any credentials we receive are stored in our secrets manager and rotated after the engagement
Audit trail — all access to your systems is logged and available to you
Data handling — we don't copy your logs, alerts, or telemetry to our infrastructure. We work in your environment
Return and destroy — at engagement completion, we return all deliverables and destroy any working data within 30 days, providing written certification

Vulnerability Management

We continuously monitor our infrastructure through Cloudflare security features and Wazuh SIEM
Dependencies are scanned for known vulnerabilities in our CI pipeline
We run periodic penetration testing against our infrastructure
Critical vulnerabilities are patched within 72 hours; high within 7 days

Incident Response

If we discover a security incident affecting our infrastructure or your data:

We notify affected clients within 24 hours of confirmed impact
We provide a written incident report within 5 business days
We cooperate fully with your incident response team and any regulatory investigation

Responsible Disclosure

If you discover a vulnerability in our systems, we want to hear about it. Send details to security@quandrylabs.com. We ask that you:

Give us reasonable time to remediate before public disclosure
Avoid accessing, modifying, or deleting other users' data
Act in good faith — we won't pursue legal action against good-faith researchers

We acknowledge reports within 48 hours and aim to triage within 5 business days.

Compliance

Framework	Status
SOC 2 Type II	Planned — Q4 2026
GDPR	Compliant — see Privacy Policy and DPA
CCPA	Compliant — see Privacy Policy
ISO 27001	Planned — 2027

Contact

For security inquiries or to report a vulnerability:

Quandry Labs, Inc.
Email: security@quandrylabs.com
Attn: Security
United States