Security
Last Updated: May 22, 2026
Data security and customer trust are paramount to us at QualitaX. We are committed to providing a reliable and highly available service, complete with enterprise-grade security.
Infrastructure Security
QualitaX services are hosted on infrastructure provided by leading cloud platforms, each of which maintains independent, audited security certifications:
| Provider | Role | Certifications |
|---|---|---|
| Railway | Application hosting (AI Training Sandbox) | SOC 2 Type II |
| Cloudflare | Edge network, DDoS protection, static site hosting | SOC 2 Type II, ISO 27001, PCI DSS |
| Anthropic | LLM API provider (Claude) | SOC 2 Type II |
| Cloudflare R2 | Encrypted backup storage | SOC 2 Type II, ISO 27001 |
QualitaX operates a shared responsibility model: our infrastructure providers maintain physical security, host-level isolation, and network perimeter controls. QualitaX maintains application-level security, access management, data handling procedures, and governance controls.
Network Security
QualitaX services are accessible only over HTTPS. All traffic is encrypted in transit using TLS 1.2 or higher with strong cipher suites. All API communications between QualitaX application services and third-party providers (LLM APIs, database connections, backup destinations) are encrypted in transit.
Administrative access to production systems is restricted to authorised QualitaX personnel via SSH with key-based authentication and multi-factor authentication (MFA). No shared credentials are used. Access is granted on the principle of least privilege.
Data Protection and Backup
All client data at rest is encrypted. Database backups are compressed (zstd), encrypted (age), and stored in geographically separate object storage (Cloudflare R2).
QualitaX maintains the following recovery commitments:
- Recovery Point Objective (RPO): ≤ 1 hour — in the event of data loss, no more than one hour of data would be unrecoverable.
- Recovery Time Objective (RTO): ≤ 2 hours — services would be restored within two hours of a confirmed incident.
Where client contracts require specific data residency provisions (e.g., Canadian data sovereignty requirements), QualitaX can configure data processing and storage to meet those obligations. Such provisions are documented in the relevant Data Processing Agreement.
Authentication
Users access the QualitaX AI Training Sandbox via secure (HTTPS) connections. Passwords are never stored in plaintext; only salted, cryptographically hashed values are retained.
Application Security
QualitaX follows secure development practices aligned with OWASP guidance. Application dependencies are regularly reviewed and updated. The QualitaX AI Training Sandbox operates a dual-model architecture where all LLM interactions are routed through managed API endpoints — no model weights or training data are stored on QualitaX infrastructure.
Learner interactions with the Sandbox are processed in real time. QualitaX retains only the data necessary to deliver the training service and report on learner progress, as directed by the subscribing organisation.
Access Control
QualitaX is a specialist consultancy with a deliberately small team. All personnel with access to production systems have undergone vetting and operate under documented security and acceptable use policies. The limited team size reduces attack surface and ensures clear accountability for all system access.
GDPR
QualitaX (trading as Consianimis Consulting Ltd.) is registered in England and Wales and processes data in accordance with the UK GDPR and the Data Protection Act 2018.
Data controller and processor roles: QualitaX acts as a data processor on behalf of subscribing organisations (the data controllers). Subscribers determine what personal data is shared with QualitaX for the purposes of delivering training services.
Data minimisation: QualitaX collects the minimum personal data necessary to deliver the service — typically limited to name and email address, plus training analytics (course progress, completion status) as directed by the subscribing organisation.
Data Processing Agreements: QualitaX provides a Data Processing Agreement (DPA) as standard, incorporating the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs) where cross-border transfers are required.
Data subject rights: QualitaX will export, correct, or delete learner data upon request by the subscribing organisation in accordance with data subject access requests.
Marketing: QualitaX does not market to, nor sell, any learner data collected on behalf of subscribing organisations.
Data Inventory
| Data Type | Basis for Collection | Notes |
|---|---|---|
| Email address | Required | Minimum required for QualitaX to deliver the training service. |
| Learner name | As directed by Subscriber | Used for personalisation and reporting. |
| Organisation and role | As directed by Subscriber | Used for cohort management and contextualised training delivery. |
| Training analytics (module progress, completion, assessment results) | As directed by Subscriber | Subscriber has engaged QualitaX to deliver and report on training outcomes. |
| LLM interaction logs | As required for service delivery | Retained only for the duration necessary to support the training engagement. Not used for model training. Subscribers may request deletion at any time. |
List of Sub-processors
QualitaX uses the following sub-processors:
| Name | Description of Processing |
|---|---|
| Railway Corporation | Application hosting for the AI Training Sandbox |
| Anthropic PBC | LLM API provider (Claude) — processes learner prompts and returns model responses. Anthropic does not use API inputs for model training. |
| Cloudflare, Inc. | Edge network, CDN, DDoS protection, static site hosting, and encrypted backup storage (R2) |
| HubSpot, Inc. | CRM and marketing communications for QualitaX business contacts (not learner data) |
| Proton AG | Secure email and file sharing for client communications involving sensitive materials |
Where additional sub-processors are engaged for a specific client engagement (e.g., a locally hosted LLM for sensitive-data processing), these are documented in the relevant DPA or Statement of Work.
AI-Specific Commitments
QualitaX recognises that the use of AI in training — particularly in humanitarian, peacebuilding, and defence contexts — raises specific data handling concerns:
- No model training on client data. Learner interactions processed via the Anthropic API are not used to train or fine-tune any models. This is contractually guaranteed by Anthropic’s API data usage policy.
- Sensitive-data processing options. For engagements involving conflict-sensitive, personally identifiable, or classified data, QualitaX offers a local AI processing stack that keeps all data on client-controlled infrastructure, with no data transmitted to third-party APIs.
- Governance documentation. All AI-assisted processes are documented with clear data flow maps, anonymisation protocols, and incident response procedures tailored to the engagement.
Reporting Security Issues
QualitaX takes its security responsibilities seriously. If you have identified a potential security vulnerability in any QualitaX service, please contact us at contact@qualitax.io.
Please provide specific details of the perceived vulnerability and steps to reproduce. Do not attempt to access, modify, or delete data belonging to other users. QualitaX will review all reported issues and respond within 5 working days.
QualitaX does not operate a formal bug bounty programme.
Questions
For security questions, to request a copy of our security posture documentation, or to discuss specific data handling requirements for your organisation, please contact contact@qualitax.io.